Making a Risk Management Plan for Your Business

It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management. These guidelines are for making a risk management plan for your business.

When you start the risk management plan with an executive summary, you’re breaking apart what it will be compromised of into easy to understand chunks. Even though this summary is the project’s high-level overview, the goal is describing the risk management plan’s approach and scope. In doing so, you’re informing all stakeholders regarding what to expect when they’re reviewing these plans so that they can set their expectations appropriately.

Who Are the Stakeholders and What Potential Problems Need Identifying?

During this phase of making the risk management plan, you’re going to need to have a team meeting. Every member of the team must be vocal regarding what they believe could be potential problems or risks. Stakeholders should also be involved in this meeting as well to help you collect ideas regarding what could become a potential risk. All who are participating should look at past projects, what went wrong, what is going wrong in current projects and what everyone hopes to achieve from what they learned from these experiences. During this session, you’ll be creating a sample risk management plan that begins to outline risk management standards and risk management strategies.

Evaluate the Potential Risks Identified

A myriad of internal and external sources can pose as risks including commercial, management and technical, for example. When you’re identifying what these potential risks are and have your list complete, the next step is organizing it according to importance and likelihood. Categorize each risk according to how it could impact your project. For example, does the risk threaten to throw off timelines or budgets? Using a risk breakdown structure is an effective way to help ensure all potential risks are effectively categorized and considered. Use of this risk management plan template keeps everything organized and paints a clear picture of everything you’re identifying.

Assign Ownership and Create Responses

It’s essential to ensure a team member is overseeing each potential risk. That way, they can jump into action should an issue occur. Those who are assigned a risk, as well as the project manager, should work as a team to develop responses before problems arise. That way, if there are issues, the person overseeing the risk can refer to the response that was predetermined.

Have a System for Monitoring

Having effective risk management companies plans includes having a system for monitoring. It’s not wise to develop a security risk management or compliance risk management plan, for example, without having a system for monitoring. What this means is there’s a system for monitoring in place to ensure risk doesn’t occur until the project is finished. In doing so, you’re ensuring no new risks will potentially surface. If one does, like during the IT risk management process, for example, your team will know how to react.

  • Privacy Policy
  • Terms of Service
  • © 2023 Ask Media Group, LLC

At the end of your visit today, would you complete a short survey to help improve our services?

Thanks! When you're ready, just click "Start survey".

It looks like you’re about to finish your visit. Are you ready to start the short survey now?

Pandemic and health event risk management

A decline in the health of people and animal communities can also affect the health of your business.

Preparation and planning can ensure business continuity.

What is a pandemic or health event?

A pandemic is a worldwide outbreak of a disease or illness that spreads quickly and widely among human or animal populations.

Pandemics can pose a global threat bringing difficulties and disruptions to the lives of people and businesses. An epidemic is similar, affecting a locality rather than the whole world.

A health event may be a pandemic, an epidemic, or any other outbreak or instance that affects the health of humans or animals. Each has the potential of disrupting part or all of your business operations.

Risks to your business include:

  • illness and absences within your workforce
  • interruptions to logistics and suppliers
  • financial stress and potential loss of income
  • reduction in customer footfall to your premises
  • inability to trade and periods of lockdown.

Identifying the risk a pandemic or health event could have on your business, and developing a plan to reduce the impact, will help your business recover quickly.

To assist in identifying risks and developing a recovery plan use the resources at writing a business continuity plan .

Thumbnail of business continuity planning Word template

Download the business continuity plan template

This template includes a:

  • risk management plan section
  • business impact analysis section
  • incident response plan section.

Use this page to consider your risk of a health event and complete these sections of the template.

Download the business continuity planning template .

Pandemic illnesses in humans and animals

Pandemics occur when a disease, virus, or new variant of an existing virus spreads worldwide.

An event like this can significantly change the way businesses operate with some impacting specific industries more than others.

For example, swine flu mostly impacts the livestock and food industry.

Potential pandemic human health threats

  • There are 3 main types of the flu virus (A, B, and C).
  • Only type A viruses are known to cause pandemics.

Learn more about influenza .

  • The COVID-19 pandemic began in 2019.
  • A number of variants with different profiles have emerged since.

Find out more about Queensland COVID-19 health alerts .

  • Most swine flu viruses do not infect humans or do so mildly.
  • The H1N1 virus of 2009–2010 was an exception.

Learn more about swine flu and other viruses .

  • Avian flu is caused by a virus that affects wild birds and poultry.
  • There have also been human infections.

Learn more about avian influenza .

  • In the past, outside Africa, animal-to-human transmission of monkeypox has been rare.
  • Generally, outbreaks occur when an infected animal has been imported and then infects local animals.
  • Human-to-human transmission is possible.

Learn more about monkeypox .

Identified a specific health threat?

If you are concerned or suspect that you may have identified a specific health threat, the following phone numbers will provide you with assistance.

For health emergencies, call 000 .

For medical advice, call 13HEALTH (13 43 25 84).  This service is available 24 hours a day, 7 days a week and provides health information, advice or referral services.

Potential pandemic livestock, poultry and animal health threats

  • Affects poultry and other birds.
  • Can present with little or no signs of the disease.
  • Can spread rapidly throughout bird populations.
  • Can mutate into highly pathogenic avian flu.

Read about Australian outbreaks of low-pathogen avian flu .

Learn more about low-pathogen avian flu (US Centre for Disease Control).

  • Affects poultry, pigeons and other birds.
  • Viral infection often present in, and spread by, pigeon populations.
  • Affected birds can die within 3 days.
  • Outbreaks are reportable to Biosecurity Queensland.

Learn more about avian paramyxovirus .

  • Affects horses, dogs and humans.
  • Periodically present in flying fox populations.
  • Believed to be able to be transmitted from flying foxes to horses, and from horses to dogs and humans.
  • Mortality rate of infected horses is 80%.

Find out more about Hendra virus .

  • Affects bees.
  • Major threat to honey bees and crop pollination.
  • Not yet established in Australia.
  • High impact on almond, apple, cherry and other crops that rely on pollination, as well as honey bees, if established.

Learn more about the varroa mite .


Biosecurity is one of Australia's most important lines of defence and prevents many serious diseases from infecting plants and animals.

Learn more about biosecurity .

Business continuity planning for a major health event

Use your business continuity plan to consider, manage, and recover from disruptions to your business.

  • Download the business continuity plan template .
  • Find help writing a business continuity plan .

The information below identifies risks to your business, potential actions you could take and resources you can assess for information and assistance.

Risk, potential action and resources

Potential action

  • Instigate remote working/work from home.
  • Improve workplace health and safety procedures.
  • Provide personal protective equipment (PPE), training and equipment.
  • Communicate to your staff and test where relevant.
  • Business health and safety resources for coronavirus (COVID-19)
  • Personal protective equipment (PPE) from WorkSafe Queensland
  • First aid and emergency plans from WorkSafe Queensland
  • Working from home from Safe Work Australia

Online ordering/home delivery (and possible zero contact) of products and services.

Websites, social media and digital marketing

Potential actions

Seek assistance from small business or rural financial advisory services.

  • North Queensland rural and small business financial counselling
  • Southern Queensland rural and small business financial counselling
  • Check government websites and contacts regularly.
  • Use kits and websites developed in response to the pandemic.
  • Contact key industry associations for communication kits and advice.
  • what is happening
  • what is being planned
  • where they can obtain more information
  • what they need to do, and when.
  • communicate with suppliers.
  • Queensland Health contacts

Obtain external advice and support services

Mental health and wellbeing resources for businesses

  • Communicate with existing suppliers.
  • Seek alternative suppliers.

Managing risk in supply chains

Follow government requirements, seek assistance, and restock when able.

National pest and disease outbreaks

Planning and preparation can minimise the impacts of a pandemic.

Learn about major health event preparation for small business .

Pandemics are external factors out of our control but by planning and preparing, your business can reduce the potential impacts.

Also consider...

  • Learn more about major health event preparation for small business .
  • Find advice on writing a business continuity plan .
  • Find tips and advice on managing risk in supply chains .
  • Last reviewed: 24 Nov 2022
  • Last updated: 24 Nov 2022
  • Client stories and case studies
  • Climate Center
  • Climate risk modeling
  • Digital modernization report
  • Diversity, equity, and inclusion
  • Energy in 30 podcast
  • Federal IT modernization

Risk management for businesses during the COVID-19 pandemic

COVID-19 has shown how unprepared many businesses are for the unexpected. Experts will be debating what could have been done differently for years to come. What we do know right now is that businesses and organizations should take advantage of times of stability to plan for unexpected events in order to protect life, property, and other valuable assets.

The term “risk management” is widely used in all aspects of life to describe the steps we take to avoid—or lessen—the damages associated with a potential risk. It typically involves the identification and assessment of risk by a coordinated application of resources to mitigate, control, and monitor the risk.

Any time you look at risk assessment, there are four basic questions to ask:

  • Identify risks: what can happen?
  • Determine probability of loss: how likely is it to happen?
  • Assess severity of outcome: what are the consequences if it does happen?
  • Mitigate risk: what can be done to manage the consequences?

Let’s look at some of the risks impacting businesses and how businesses can better prepare for the next pandemic.

Business risks associated with COVID-19

Businesses are dealing with significant financial losses, which has resulted in the need to lay off employees. Even formerly thriving businesses are struggling due to governmental-decried closures. While the government has approved federal funding for some of those impacted by COVID-19, there is no guarantee that this will be enough. Some businesses will close permanently, and the economy will be further affected by those closures. Additionally, in order to bid on work opportunities, some prime contractors are requiring a pandemic policy. What can businesses do?

Follow directives

First and foremost, businesses should follow all CDC guidelines and governmental directives. We have heard the importance of social distancing and cleanliness and the preventative value of wearing masks and gloves. These guidelines are intended to protect each of us from getting and giving the virus to others. While stay-at-home directives have forced closures of nonessential businesses, the fact that the number of positive cases is beginning to stabilize is an indication of its success.

Develop a pandemic-specific preparedness plan

The purpose of such a plan is to serve as a reference for a safe and healthy workplace for all employees and ensure adherence to any CDC guidance, as well as governmental directives. Consider including the following sections:

  • Policy overview — What do you expect from your managers and employees in a pandemic? Include links to the CDC and require that anyone who may have been exposed to an infected person should remain in quarantine for the recommended number of days. This policy should also address other possible non-COVID pandemics (e.g., employees who have traveled to a region where another illness/disease is prevalent).
  • Essential roles — Who within your organization will be responsible for implementing the pandemic plan? Such roles include safety, training, technology, inventory, communication, and business decisions. This team of individuals will be responsible for managing the organization through a pandemic.
  • Employee risk mitigation measures — What should your business and employees do to lessen the spread of the virus? Consider measures such as making hand sanitizer and other cleaning products available for daily use by employees, providing sufficient workspace between employees, and encouraging employees to remain home when ill. You can also encourage employees to have regular medical check-ups, including appropriate immunizations.
  • Protocol for returning to work after a serious illness — What mandates should your business impose upon a person returning to work following a serious illness? For example, a signed release from a medical provider could be an appropriate measure.
  • Training on medical and health concerns — What training will you provide to your employees on health issues including the spread of a disease? The training should include initial symptoms, best practices for mitigation of risk, and prevention of spread.
  • Remote work — What allowances will you make to support employees working remotely during times of quarantine? Consider the type of work that is performed and whether it is conducive to remote work. There are some industries where this will not be an option.
  • Training on technology to work remotely — What technology will your employees need to work remotely? Instruct them on how to use software for meetings, collaborations, and communication.
  • Emergency communication — How will your business communicate with its employees to notify them of important and urgent matters? Consider establishing a robocall system that will alert employees of urgent needs.

Review financial sustainability measures

Does your business have enough capital to sustain itself during an extended shutdown? For how long? Would it be feasible to consider remote work as a permanent solution to lower costs? Are there other business solutions that could decrease expenditures? Some industries may be able to capitalize on this moment as the pandemic opens the door for new business opportunities. Each business will need to determine what makes the most sense for remaining viable.

Document any unplanned expenditures

What unplanned expenditures will your business accrue due to the pandemic? In the event of a federally declared disaster, the federal government will provide funding for eligible expenses to FEMA-eligible applicants impacted by the event. To take advantage of this funding, you will need to document your unplanned expenditures and hold on to all invoices and receipts for payment. Once a disaster is declared, the federal government will release details on what types of costs may be considered for reimbursement.

Assess technological systems

Does your business have the appropriate technology to continue operations during an extended shutdown? Do your employees have laptops, access to an internet with adequate bandwidth, and appropriate protection from computer viruses? Consider investing in software to allow for collaborative meetings and remote file access.

Examine contracts

Does your business have contracts that include a force majeure clause? A force majeure clause is a contractual provision that temporarily or permanently suspends contractual obligations when completion of work is not feasible due to circumstances that are beyond your control. This clause typically contains language that specifies which type of events are considered “unforeseeable,” so it must specifically list pandemic in order to apply. The contract should not be enforceable if it contains a force majeure clause and work is not possible due to COVID-19. Some states—such as New York, Florida, California, Texas, and Illinois—mandate the inclusion of force majeure language in contracts. It is likely that other states will now join in this requirement.

Consider pre-positioned disaster contracts

You may need to have contracts in place before an event occurs. Will you require a contract for a call center or to clean and sanitize work areas? Will you need any technology that is not currently in place? Healthcare facilities may want to consider having a pre-positioned contract for on-call medical providers. Having an enhanced supply of gloves, masks, and ventilators on hand may also necessitate additional contracts.

Consult with a risk advisor

Buying insurance is one of the most important risk management steps that businesses take in order to mitigate loss. The impact of COVID-19 on the insurance industry will be significant. Many types of coverage will be put to the test regarding coverage for a pandemic. Some of the issues we expect to see include:

Group health insurance In the aftermath of COVID-19, how did your group health insurance coverage respond? Did your insurance company lift out-of-network restrictions for members who have only in-network coverage; lift daily limits for prescription refills; lift co-pay requirements for maintenance medication; extend premium payment and/or filing of claim deadlines; extend call hours for added support; add counseling (free) for limited time for members; or manage call operations from remote locations?

These are just some of the health care considerations for group insurers—not an exhaustive list. Talk with your insurance company to insure continuation of medical benefits for those employees insured under a group health plan. With COVID-19, businesses should be mindful of Health Insurance Portability and Accountability Act (HIPAA) and the importance of protecting personal health information. Protect the privacy of your employees who are ill with COVID-19 by only sharing their information with HIPAA-compliant parties—and only when you’re required to do so.

Commercial property insurance/Business income coverage Most commercial property policies exclude coverage for pandemics and include standard exclusion for Loss Due to Virus or Bacteria. This exclusion means that the insurance company will not pay for “loss or damage caused by or resulting from any virus, bacterium, or other microorganism that induces or is capable of inducing physical distress, illness, or disease.” The Insurance Service Office responded in February 2020 with two new forms for Business Interruption Losses and Civil Authority Orders, both specifically related to COVID-19. Both forms grant limited coverage for COVID-19 when there is no direct physical damage to covered property. However, it is unlikely that any insurance company will be willing to endorse a current policy with an ongoing pandemic.

Workers’ compensation One issue that will be looming over the industry is the compensability of a workers’ compensation claim for an employee. While the law is unique in every state, most state laws require a causal connection between the injury/illness and the individual’s work. There are many work environments—such as healthcare—that have significant exposure to COVID-19. The courts will likely determine if the illness/disease arose out of the work done by the employee. South Carolina, Minnesota, and Alaska are among some of the states that have introduced presumptive workers’ compensation legislation supportive of healthcare workers who develop the virus after caring for infected patients. Similar presumptive workers’ compensation legislation is likely in other states in the wake of COVID-19.

Commercial general liability Coverage under the commercial general liability policies is dependent upon the allegations by a third party. We expect that liability claims will escalate in the months to come as individuals begin to question the actions of a third party in their handling of this pandemic. Several class-action suits against China for allegedly causing the coronavirus pandemic have been filed, citing wrongful exposure to the virus. Businesses must be ready to defend their risk decisions in the management of their employees’ and visitors’ safety and in addressing the needs of their clients.

What’s next?

History is a good predictor of the future. If we have learned anything from past pandemics, we know that this one is unlikely to be the last. Even as the stay-at-home restrictions continue, businesses can begin to address how to be better prepared for the next pandemic. Proper risk management will allow for mitigation of loss, improved recovery, and continuity of business.

Susan (MBA, CRM, CIC) is a risk management and insurance expert with more than 30 years of experience assisting clients in insurance and risk-related matters, including disaster planning, business continuity, resiliency, and recovery from disasters.  View bio

  • Disaster management
  • Public sector

Related insights

A business journal from the Wharton School of the University of Pennsylvania

Coping with Coronavirus: Five Strategies to Mitigate Business Risks

March 17, 2020 • 16 min read.

To help turn panic into proactive action, Steven Minsky, CEO of a risk management firm, lists a series of practical steps that all organizations should explore.

pandemic risk management plan for business

As CEO and founder of a risk management firm, Steven Minsky spends his time helping organizations manage pandemic, economic, supply chain and political risks. As the coronavirus continues its global march, its effect on business is no longer imminent; it is present. To help turn panic into productive and proactive action, in this opinion piece Minsky has put together a series of practical steps that all organizations should explore.

This is the first week that LogicManager , my Boston-based company, began its proactive two-week work-from-home trial. We wanted to put the health and safety of our 75 employees first and begin the learning curve of virtual business operations before we were forced to do so. Our goal was not to close the office but rather to reduce our employees’ public transportation exposure by minimizing commuting and proactively use social distancing techniques. Achieving social distancing is an example of one of five major risk considerations that organizations need to learn to manage. I will say more about that below.

We decided not to wait until we got more guidance from the CDC or our local, state or federal authorities and quarantine — as is happening in Italy, Spain, France and other countries — was suddenly implemented. In our preparation process, we used risk management to uncover many policies and processes throughout our various business departments. This trial period has given us a low-risk opportunity to test and iterate with the flexibility of going into the office if needed.

What would happen to your organization if illness led to a sudden reduction of more than 40% of your workforce? Is your organization in one of the many industries expected to experience a serious revenue downturn from this outbreak? Are our organizations as prepared as we might believe for the coronavirus pandemic, also known as COVID-19?

The effects of the pandemic – as the World Health Organization declared officially on March 11 — are predictable. The impact on our organizations, customers, vendors, and communities is knowable. Even so, as action remains elusive, there is a natural tendency for panic to arise. To help turn panic into productive and proactive steps to prepare, we have outlined five major risks and mitigation strategies that all organizations should explore.

Enterprise Risk Management for Coronavirus

Enterprise Risk Management is a technique and software infrastructure that makes those impacts clear to your organization, industry, and geography. It generates a plan of action and provides a mechanism for communication and implementation. A risk management framework engages everyone in your organization to support preparation and changes to reduce negative impacts from events. Reducing the coronavirus business effect is imperative. With this framework and enterprise risk management strategy, fear can be transformed into action and unease into peace of mind.

How will your organization generate revenue and execute operations with workplaces mostly either off-line or remote?

Five Business Risks

Here are some of the key risks that organizations face as the COVID-19 crisis deepens.

Risk 1: Disruption Due to Social Distancing

Social distancing is a term applied to certain actions that are taken by public health officials to stop or slow down the spread of a highly contagious disease. During the peak contagion months from December 2020 thru March 2021 policies of “social distancing” are likely to be necessary in the United States workplaces and schools. Most business events and travel will be curtailed or canceled during this peak period. How will your organization generate revenue and execute operations with workplaces mostly either off-line or remote? In 2019, only an estimated 14.1% of all retail sales worldwide were done through the Internet . With physical purchasing cycles potentially being disrupted, what will happen to that remaining 85.9% of business activity?

Risk 2: Plummeting Employee Productivity

Every industry will be impacted, as organizations are likely to see. Some 40% of staff during this period may be unable to work due to sickness, either directly or indirectly. Even if your employees are not sick, many will be affected by the need to care for ill family members. They may also need flexible working hours due to school and daycare closings.

Risk 3: Stressed Supply Chains

The global economy is still highly integrated and most countries and companies rely on vendors for their business. From pharmaceutical raw materials to electronics to most consumer-good products, there will likely be purchasing delays. Heavy equipment and manufacturing supply chains are already being impacted by COVID-19 spreading across Asia and Europe. Let us also not forget that a major trade war with many trading partners remains unresolved.

Risk 4: Recession, Unemployment and Investment Pull-back

Forecasts indicate that we will likely be in a full recession by the fourth quarter of this year. Will consumers reduce their spending? Conferences are getting canceled. Corporations are asking people to work from home. Schools are asking students to not to return after Spring Break. Watch the hospitality industry for signs of economic health. The economic engine of growth is driven by continuous investment as well as consumption. Experts are uncertain whether a COVID-19 vaccine will be available before the first quarter of 2021. Investments are highly negatively impacted by uncertainty and corporations will likely cut back growth investments, contributing to a rapid rise in unemployment. There may be significant layoffs at existing businesses in the “second wave” of COVID-19 that may surge again in the third quarter.

Risk 5: Economic Instability and Civil Unrest

The United States will go through a major election cycle in November. This election, more so than any other in recent history, represents two very different sets of policy options that will dramatically alter how businesses operate from taxation to foreign trade to talent management. This is not a political statement. Either scenario is manageable. It is the uncertainty over which scenario will prevail and how those policies will be carried out that will drive the risk.

The U.S. budget deficit is at a record high. Government spending will ramp-up, but that may not be effective due to lack of planning and preparedness. Great Britain has left the European Union and is likely to see dramatic changes go into effect in December 2020 which are likely to trade, immigration, and a large range of other areas of international business, at the same time a second wave of COVID-19 may be hitting.

So now what? Organizations need to put in place mitigation plans to address each of these risks. By taking these steps they will be in a better position to reduce the risks that the coronavirus will have on their business.

Mitigation Strategies

The mitigation activities that your business can prepare can be wide ranging depending on your industry, geography, size, and other factors. These initiatives may include activities such as shifting budgeting from fixed costs to variable spending to provide flexibility in times of uncertainty.

Below I highlight five risk management steps that organizations should think about as they defend themselves against the pandemic.

Step 1: Readiness Assessments

A readiness assessment is a good place to start when organizations don’t know what their business continuity program should comprise. Industry and role readiness templates as well as pandemic-specific templates allow an organization to evaluate their business continuity program against a best practice standard and identify where gaps may exist. These readiness libraries break down standards and best practices into actionable pieces so that organizations can track progress and adherence.

Step 2: Risk Management Plan

All organizations should complete a risk assessment on their core business processes to identify and prioritize any new risks or gaps in their existing controls for new scenarios like pandemics, recession, and geopolitical conditions risks. First-level managers on the front line when prompted with risks are in the best position to be able to assess how these scenarios will impact their areas of responsibility.

Step 3: Business Impact Analysis

Not all risks within processes or functions within an organization should be treated the same way. A business impact analysis allows organizations to identify which parts of the business are most critical to its operations. Use the results to determine which parts of the organization to prioritize during a business continuity plan event to maintain operations.

Step 4: Policy Management

As the pandemic evolves and new information arises, policies will need to be revisited and updated and communicated. For example, reviewing and revising a work-from-home policy will be effective only if dissemination of that revised policy is made with governance tracking for adoption across the organization.

Step 5: Incident Management

Incident management is typically a highly siloed activity embedded within a process. In times of change management, a unified enterprise-wide mechanism is needed as an input to evaluate the effectiveness of mitigation and policy activities as well as to manage the exceptions, which are typically 20% of all activities.

In LogicManager’s 15-year history, I have seen that 100% of business scandals were known at least six months in advance, with more than enough time to take action to eliminate most, if not all, of the downside.

Let’s walk through a specific example of how we used risk management transition to “Work from Home” to learn how all this comes together:

Step 1: Readiness: Having a library of best practices standards like Center for Disease Control (CDC) and The Federal Financial Institution Examination Council (FFIEC) to guide your pandemic planning readiness is essential to start the thinking process of transformation. You can select just 10-25 questions from these standards and push out to all managers enterprise wide or a subset of front line managers in sales, marketing, service, finance, HR and others in a risk management plan to learn their state of preparedness in risk management on any topic. To evaluate your overall readiness in risk management, take this assessment .

Step 2: Risk Management Plan: A number of risk events could trigger the need to work offsite (severe weather, pandemic, changes in infrastructure). These external risk factors should be assessed and prioritized.

From the FFIEC guidelines this is a readiness indicator we used that did double duty in our work from home readiness planning: “Testing communication and remote access capability (e.g., switching to alternate equipment or telecommuting)” is essential for businesses. We ask participants to list what could go wrong and what needs to happen. The idea of risk management planning is that one readiness assessment can serve many different kinds of scenarios so an organization will always be ready regardless of which scenario comes to pass.

Step 3: Business Impact Analysis: A Business Impact Analysis (BIA) should include the basic questions for each department head: (1) Are your employees equipped to work remotely with laptops and (2) Can critical job functions be completed when working remotely. This BIA will help to identify what might need to change to better respond to business interruptions. A predefined enterprise-wide standardized on a scale of 1-5 should be used for any and all BIAs and predefined that works for all issues across the entire company to “risk rate” the impact of the issue, the likelihood of this issue happening and the effectiveness of controls over that issue. The net score will help put all issues on a common denominator to allow an “apples to apples” comparison so you can quickly and objectively confirm with subject matter experts inside your organization what preparations are most important. For example, transitioning and transforming physical events and customer meetings into digital equivalents can achieve social distancing while still sustaining revenue generation.

Step 4: Policy Management: Due to the risk assessment and impact prioritization, it will likely trigger a need to review policies and procedures to ensure the expectations and steps for working remotely are clearly communicated. For example, a WFH policy was developed for very short term or ad hoc needs. For a Pandemic the WFH policy needs to be tied to a Key Performance Indicators (KPI) as a Pandemic WFH can turn into a six-week to six-month requirement and performance needs to be monitored to ensure goals are being achieved with leading indicators rather than lagging ones. For example, a review of the activities that lead to sales will let you know if any of your sales reps are struggling. These policy changes then need to be escalated to the right committee in your organization and then pushed back out to all employees and resigned for people operations compliance. Tying the context of how this requirement was surfaced and when the policy was changed while providing evidence of acknowledgement by employees will save your organization from unintended compliance liabilities.

Step 5: Incident Management: Enable pre-made incident reporting webforms for employees to report events that would lead to remote work policies being triggered, escalate issues they identify when working remotely, and ask questions back to management. It is important that now that “management by walking around the water cooler/coffee machine” is gone, there is enterprise-wide incident management that provides all employees a way to escalate issues and concerns that can then be turned into a FAQ published back out to all employees on a one-business-day or less turnaround. This gives employees confidence in their job safety and provides managers at the appropriate level a holistic view of what is happening in their teams, departments and organization. For example, this includes questions like needing equipment like a monitor, keyboard or a headset to effectively work from home, getting manager approval, and figuring out a way to make the equipment available. It is critical that these incident management issues can be work flowed from the individual that reports it to the chain of who needs to take action and that this tracking and follow-up is recorded and reported. These incident escalations cannot be siloed within one department’s system; it needs to be an enterprise-wide resource and response management platform that ties back to each of the other five steps: Policy Management, Business Impact Analysis, Risk Management Plan and Readiness. The Business Impact Analysis scores will then carry forward to provide a follow-up priority and an affirmation sign-off that things get done.

What Does the Future Look Like?

Economists are debating if there will be a sharp, short recession or a prolonged downturn. I think this is not the most helpful of options to spend our time considering. The approach we need is to recognize we all have more than enough time to use the risk management methods I have outlined above to identify the business impact of the risks to our organizations and mitigate 80% of the negative outcomes. Then, we can monitor incidents that slip by to quickly make changes to policies and disseminate these policies back through our organizations in quick, tight iterative cycles. This approach will cover both scenarios and turn fear into action.

Since it is on everyone’s mind though, here is a risk management view of the domino effects: The first wave of fear we now find ourselves in is decimating the hotel, travel, restaurant, casinos, amusement parks, live performances, movie theaters industries where people congregate. These jobs cannot telecommute and do not typically have healthcare or much paid sick leave. This vulnerable segment may be enough to trigger a banking crisis of home mortgage defaults and a sharp hit to retail shopping. This indicates a sharp recession is already on its way.

Most health care experts believe a vaccine is more than a year from being in the hands of those who need it, and containment is no longer an option. That means the coronavirus is likely to enter a “second wave” as autumn turns to winter and the highly infectious COVID-19 makes up to 70% of the population sick over a two-year period. Mortality and severity of sickness aside, consider the fact that 80% of the U.S. GDP comes from the services industries. These services will be hard to provide if most of the population doesn’t want to interact face-to-face with customers. This points to the possibility that the recession may extend into a prolonged and deep downturn.

Still, there is a silver lining to every dark cloud. On the macro level, the Federal Reserve has announced it will pump in $1.5 trillion to stem the stock market meltdown. It remains to be seen how well this measure will work to stabilize the market.

On an organization-by-organization level, there will be those that adopt a risk-based approach to transition and transform their organizations to thrive in the new normal. As Winston Churchill once reportedly said, “No crisis should go to waste.” That is what happened during the disruption to air travel after the World Trade Center attacks on September 11, 2001. Airports that used risk management strategies were able to transform their transportation mission to include entertainment centers for travelers who needed to be two hours earlier than their flights. They redesigned airport terminals to have a vast array of restaurants, shopping and entertainment options behind security that did not exist before. This led to the creation of new revenue streams. In the same way, after the financial crisis of 2008, banks that had used risk management to diversify operations with new fee-based services were able to thrive by replacing the revenues lost from interest income.

The most important lesson to learn from severe shocks like this pandemic is that they represent an opportunity to permanently shift the markets in which we operate. Actions that may have previously seemed too difficult to deal with may now be addressable. We have seen pollution nearly disappear over Wuhan; perhaps we also have an opportunity to affect climate change. With so many organizations transitioning to systems where their employees can work from home for extended periods, perhaps telecommuting will replace long-distance commutes. That might give us some hours back each day to live our lives. With the focus on good hygiene, we may abandon the medieval practice of shaking hands. With the deep costs of health care, we may put up the money to find a cure for COVID-19 as well as the seasonal flu.

If none of these lofty — and possibly unrealistic — wishes is achieved, perhaps a small bright side is we may find comfort in binge-watching our favorite shows and reconnecting with our families. Moving the care and well-being of our families back to the center of our lives may well be a more positive outcome than anything that merely mitigates business risks.

More From Knowledge at Wharton

pandemic risk management plan for business

The Downside of Psychological Safety in the Workplace

pandemic risk management plan for business

What Is the Manufacturing Outlook for 2024? A Review of Deloitte’s Outlook

pandemic risk management plan for business

How Private Equity Has Evolved to Compete in Global M&A

Looking for more insights.

Sign up to stay informed about our latest article releases.

U.S. flag

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings
  • Advanced Search
  • Journal List
  • Wiley - PMC COVID-19 Collection

Logo of pheblackwell

Pandemic risk management; protecting people while ensuring business continuity

James sneddon.

1 Risktec Solutions (Canada) Ltd., Calgary Alberta, Canada

Associated Data

Data sharing is not applicable to this article as no new data were created or analyzed in this study.

The COVID‐19 pandemic swept across the globe in the latter half of 2019, throughout 2020 and into 2021. In response, many organizations implemented work from home policies, while others stopped operations entirely in an effort to limit the spread throughout their workforce and supporting communities. This containment strategy was not universally viable; long‐term shutdowns impacted the economic viability of companies, and some industries were designated as an “essential service” and thus continued operations. These employers faced the proposition of balancing the needs of the business and the community with a continued responsibility to provide a safe workplace for employees. This paper demonstrates how the application of common risk management methodologies, such as bowtie analysis combined with an appropriate assurance and verification process (e.g., the lines of defense model), can help the risks associated with a resumption or continuation of in‐person operations in a pandemic to be better understood and ensure the measures in place to manage said risk are appropriate and effective.


Since its appearance in December 2019, the SARS‐CoV‐2 virus (COVID‐19) has continued to spread, touching almost all corners of the world. The progression from outbreak to pandemic was soon accompanied by the swift imposition of lockdowns in many countries.

In support of the various restrictions imposed upon their communities, many organizations implemented work from home policies, while others stopped operations entirely in an effort to limit the spread. There were, however, industries where this approach was not viable, either because they provided an essential service or because of economic necessity. Now, more than a year on from coronavirus initially upending daily life and work, this situation remains.

Employers requiring their employees to remain in, or return to, an office environment, work site or operating facility face the ongoing proposition of balancing the needs of the business and the community with a continued responsibility to provide a safe working environment for their employees.

Common risk management methodologies, such as bowtie analysis combined with the lines of defense (LOD) model, can be adapted to help employers better understand the risks involved with a resumption or continuation of in‐person operations, ensuring the measures they have in place to manage this risk are appropriate and effective.


2.1. introduction to bowtie analysis.

Risk assessment lies at the heart of any form of risk management, and one of the most powerful of these techniques is the bowtie method. Its strength is that it goes beyond the usual risk assessment “snapshot” and highlights the links between controls, assurance and verification activities, and the underlying management system; a valuable trait when assessing the constantly evolving nature of a pandemic.

Bowties originated as a method for assessing operational risk, with the earliest mention of such an approach appearing within an adaptation from the ICI plc HAZAN Course Notes 1979, presented by The University of Queensland, Australia. 1 The Royal Dutch Shell Group was the first major company to integrate the bowtie method into its business practices 2 , 3 , 4 and is credited with developing the technique which is widely used today.

The bowtie method provides a readily understood visualization of the relationships between the causes of business upsets, the escalation of such events, the controls preventing the event from occurring, and the mitigation measures in place to limit the business impact (see Figure  1 ).

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g004.jpg

Bowtie framework

A description of the different components of the bowtie, and the method for building such a diagram are well‐documented, 2 , 3 , 5 hence this paper focuses predominantly on its specific application within a pandemic risk management setting. Select definitions, within this context, are provided in Section  2.2 , below.

2.2. Application of bowtie methodology to pandemic risk management

The application of bowtie methodology can be shifted from its more traditional use in high‐hazard industries to assessing the risk to an organizations workforce during the COVID‐19 pandemic in a relatively straightforward manner. Through graphical representation, bowtie analysis can map threats that may impact worker safety, identify and assess the safeguarding in place to prevent or mitigate different scenarios, and readily highlight any deficiencies or non‐conformances.

A representative example of how the bowtie methodology can be applied in the assessment of “worker safety” is provided in Figure  2 , with select key definitions and accompanying examples outlined in Table  1 .

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g001.jpg

COVID‐19 worker infection example

Bowtie definitions


Bowtie analysis is not a panacea for managing risk in the current environment. It must be integrated within a wider risk management framework, enabling barrier implementation to be controlled and the risk profile for the organization to be consistently monitored.

The adoption of such a framework is of special significance to large organizations who face the following challenges:

  • How do we coordinate our response in a consistent manner across multiple facilities and offices?
  • How do we provide a large and geographically diverse workforce with readily available information on our response and the resources available?
  • How do we map and track compliance of safeguarding to ensure conformance and identify any deficiencies?

The following features of bowtie analysis, and its application within a robust risk management framework help address these challenges.

3.1. Pandemic response communication

The bowtie is an excellent communication tool for the coordination of response. Dissemination of key information to the workforce can be actively managed via targeted outputs from the bowtie diagrams.

Information for each barrier on the bowtie diagram can be easily and swiftly communicated to the workforce in a one‐page summary (Figure  3 ), ensuring a coherent and well‐informed response, covering questions such as:

  • What is the barrier?
  • What does it do?
  • How does it perform?
  • How is it tested?
  • Where do I find documents with further information?
  • Who should I contact for further details?

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g006.jpg

COVID‐19 safeguarding summary

3.2. Barrier/safeguarding assurance and verification

In order to track how well prevention and mitigation barriers are performing, assurance and verification criteria must be defined as benchmarks to measure success. Such criteria are commonplace within high hazard industries in the form of Performance Standards. However, a more appropriate approach for managing the COVID‐19 response is the three LOD model.

The LOD model is typically deployed in an internal auditing function. 6 LOD modeling is a method used to gauge performance, enhance clarity regarding risks and controls, and help improve the effectiveness of risk management systems. It is based around three broad concepts (Figure  4 ):

  • LOD1: Self‐verification that activities have been completed as prescribed. Barriers are effectively controlling risks and are delivering planned performance;
  • LOD2: Independent functional assurance of conformance to requirements and quality of operating activities; and,
  • LOD3: Internal, external and regulatory audits to confirm compliance.

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g003.jpg

Lines of defense model

The LOD model can be applied to the prevention and mitigation barriers identified within the bowtie in the following manner:

  • Identify assurance and verification activities for each barrier;

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g002.jpg

Self‐verification (LOD1) checklist example

  • Collate responses within the auditing function of the bowtie software used (e.g., BowTieXP); and

An external file that holds a picture, illustration, etc.
Object name is PRS-41-8-g005.jpg

Key performance indicator (KPI) dashboard example

3.2.1. KPI dashboard

The application of the LOD model to COVID‐19 response enables a real‐time view of the health of barriers, ensuring all non‐conformances and deficiencies are highlighted, together with a risk profile for each facility, office, or entity under consideration.

KPI's, are defined as a quantifiable measure used to evaluate the success of an organization, employee, and so forth in meeting objectives for performance. KPI's are traditionally applied to “Safety Critical Elements” within the process industry and help ensure that said equipment is being tested, maintained, and inspected at an appropriate interval, and remains robust through life. The assurance and verification activities for typical COVID‐19 prevention and mitigation barriers are relatively more straightforward and can be represented via a simple traffic‐light designation which can serve to easily and effectively highlight how the identified barriers are being adopted across an organization;

  • Green : Barriers are fully implemented, with all self‐verification activities complete.
  • Amber : Partial implementation of barriers. Self‐verification activities indicate some deficiencies which can, and will be, resolved.
  • Red : Barriers not implemented / multiple deficiencies identified.

A representative example of a KPI dashboard is depicted in Figure  6 .


COVID‐19 continues to present a unique and challenging environment for society and industry alike. As organizations continue operations, begin return‐to‐work preparations, or simply prepare for the everchanging restrictions placed upon them, the need to manage the risks inherent in such activities is paramount.

Bowtie analysis, and its application within an integrated risk management process, can help us better understand and manage these risks by:

  • Ensuring that the key hazards have been identified and appropriately assessed; including correct identification of threats, consequences, and both preventive and mitigative barriers;
  • Developing, implementing, and tracking a set of assurance and verification tasks, in line with the LOD model, to ensure performance of the identified barriers;
  • Highlighting any deficiencies in safeguarding, or non‐conformances with the developed assurance and verification tasks, and
  • Ultimately providing assurance that the identified risks are being managed / mitigated in a manner which is considered to reduce this risk to an acceptable (or As Low As Reasonably Practicable—ALARP) level.

Sneddon J. Pandemic risk management; protecting people while ensuring business continuity . Process Saf Prog . 2022; 41 ( 1 ):8-13. 10.1002/prs.12302 [ CrossRef ] [ Google Scholar ]

This article was prepared for presentation at American Institute of Chemical Engineers 2021 Spring Meeting and 17th Global Congress on Process Safety, Virtual, April 18‐22, 2021.


Please log in to access the full site.

Click here to login as colleague

  • Argentina(Español) (Spanish)
  • Australia(English) (English)
  • Austria(English) (English)
  • Österreich (Deutsch) (German)
  • Azerbaijan(English) (English)
  • Bahrain(English) (English)
  • Belgium(English) (English)
  • Belgique (Français) (French)
  • België(Nederlands) (Dutch)
  • Botswana(English) (English)
  • Brasil (Português) (Portuguese)
  • Bulgaria(English) (English)
  • Canada(English) (English)
  • Canada (Français) (French)
  • Chile(Español) (Spanish)
  • China(English) (English)
  • China(Chinese) (Chinese)
  • Colombia(Español) (Spanish)
  • Croatia(English) (English)
  • Cyprus(English) (English)
  • (English) (English)
  • Czechia(Czech) (Czech)
  • Denmark(Danish) (Danish)
  • República dominicana(Español) (Spanish)
  • Egypt(English) (English)
  • Estonia(English) (English)
  • Fiji(English) (English)
  • Finland(English) (English)
  • France (Français) (French)
  • Deutschland (Deutsch) (German)
  • Hong Kong SAR China(English) (English)
  • Hungary(Hungarian) (Hungarian)
  • India(English) (English)
  • Indonesia(English) (English)
  • Ireland(English) (English)
  • Israel(English) (English)
  • Italia(Italiano) (Italian)
  • Japan(English) (English)
  • 日本(日本語) (Japanese)
  • Kazakhstan(English) (English)
  • Kazakhstan(Kazakh) (Kazakh)
  • Kazakhstan(Russian) (Russian)
  • Latvia(English) (English)
  • Lithuania(English) (English)
  • Luxembourg(Français) (French)
  • Malaysia(English) (English)
  • Malawi(English) (English)
  • Mexico(Español) (Spanish)
  • Morocco(English) (English)
  • Maroc(Français) (French)
  • Namibia(English) (English)
  • Netherlands(English) (English)
  • Nederland(Nederlands) (Dutch)
  • New Zealand(English) (English)
  • Nigeria(English) (English)
  • Norway(English) (English)
  • Oman(English) (English)
  • Panamá(Español) (Spanish)
  • Perú(Español) (Spanish)
  • Philippines(English) (English)
  • Poland(Polish) (Polish)
  • Portugal (Português) (Portuguese)
  • Puerto Rico(Español) (Spanish)
  • Puerto Rico(English) (English)
  • Qatar(English) (English)
  • Romania(Romanian) (Romanian)
  • Singapore(English) (English)
  • Saudi Arabia(English) (English)
  • Serbia(English) (English)
  • Slovakia(Slovak) (Slovak)
  • Slovenia(English) (English)
  • South Africa(English) (English)
  • South Korea(English) (English)
  • España (Español) (Spanish)
  • Sweden(English) (English)
  • Taiwan(English) (English)
  • Taiwan(Chinese) (Chinese)
  • Thailand(English) (English)
  • Tunisia(English) (English)
  • Tunisie(Français) (French)
  • Turkey(Turkish) (Turkish)
  • Uganda(English) (English)
  • Ukraine(English) (English)
  • United Arab Emirates(English) (English)
  • United Kingdom(English) (English)
  • United States(English) (English)
  • Uruguay(Español) (Spanish)
  • Vietnam(English) (English)
  • Venezuela(Español) (Spanish)
  • Zambia(English) (English)


Risk Management

women point at a graph on tablet

Has the business continuity plan been properly tested before being mobilised? What actions should be taken now versus in six months time, and are there alternative ways of managing risk? Independent risk assessments, crisis management planning, scenario testing, financial feasibility studies and outsourcing non-operations functions are some of the ways to help mitigate and manage an organisation’s risk throughout the pandemic lifecycle.

Pandemic stage

Pandemic international outbreak

Business continuity plans

Liability risk management, pandemic rapid response advisory.

  • Outsourcing work health & safety / workers compensation solutions


Post-event response

Pandemics can damage an organisation’s business operations, financial performance, employee health and wellbeing, supply chains, stakeholder confidence, and can even drive a company out of business.

Insurance programs can help reduce financial impact, but should not be relied upon as the only source of protection. Organisations need to build insurance as a part of a comprehensive risk management strategy. For example, by focusing on pandemic business interruption risks and strategies designed to reduce and mitigate the impact of such potentially highly disruptive risks, Marsh Risk Consulting (MRC) can help organisations improve their business resiliency and protect their brand. This can be done through:

  • Supporting the identification of business critical activities and functions;
  • Reviewing or developing Business Continuity Plans;
  • Providing specific and detailed response guidance;
  • Running scenario workshops to test and develop strategies to improve continuity; and
  • Training employees on how they can understand and action the plan in the event of a pandemic (or another type of business interruption).

For more information, or to arrange a conversation with our  Risk Consulting team, please contact your broker.

With the outbreak of a pandemic, companies potentially have new liability exposures that they may not have previously anticipated. In order to manage these new exposures, an organisation needs to first identify and understand these risks. It will then be well positioned to develop loss control and mitigation measures to reduce its liability exposures, mitigate losses, and ultimately protect its brand reputation.

Some of the increased liabilities that may arise due to a pandemic include:

  • Employee and third party liability – Eg. Liability arising from individuals who are exposed to the virus at work, on your premises, or from coming into contact with your employees.
  • Management liability – Eg. Liability arising from how senior management prepares for and responds to an outbreak.
  • Directors’ and Officers’ Liability – Eg. During or following a pandemic, shareholders may file litigation alleging, among other things, a lack of preparedness for the potential effects on corporate operations and revenues.

Marsh Risk Consulting (MRC) can provide risk management advice on how to effectively control these risks and reduce their impact on an organisation. In the current environment, organisations may wish to consider conducting a  COVID-19 Risk Assessment  as an initial step.

For more information, or to arrange a conversation with our MRC team, please contact your broker.

Typically, there is no longer time for preparedness once we are in the middle of a pandemic outbreak, as companies strive to make decisions live in response to a rapidly evolving situation. These decisions can have significant impacts on employees, operations, shareholders, customers and the future viability of the business.

During this period, Marsh Risk Consulting (MRC) can provide Pandemic Rapid Response advisory. We will place “boots on the ground” to help you develop a 30 day action plan. Leading or becoming part of your business continuity / crisis management team, we will provide data and insights to assist decision making, draft communications and ensure that you have the full resources of Marsh at your disposal to navigate through the pandemic. 

For more information, or to arrange a conversation with our Marsh Risk Consulting team, please contact your broker.

Outsourced WHS and workers compensation solutions

As companies seek to reduce costs and respond to the financial implications of the pandemic, ultimately a decision needs to be made around what roles are essential to ongoing operational viability, versus what roles or functions can potentially be outsourced to reduce costs while still maintain functionality.

Whilst not core operational roles, functions such as injury management, return to work, workplace health and safety (WHS) and wellbeing are still essential to ensure injury prevention and effective workers compensation outcomes. These roles can be outsourced to a service provider who specialises in these areas and can manage and deliver these functions to the business, allowing organisations to free up resources and focus on their core business operations.

Our Recovre team currently delivers outsourced  WHS and workers compensation services  to a number of businesses that have realised the benefits and flexibility outsourcing arrangements can deliver.  One of the key benefits of an outsourced arrangement is that you get access to a team of specialist resources with diverse skillsets and experience as opposed to an individual. Outsourced arrangements can also be more cost effective, providing employers with the ability to ramp up or down without recruiting and retraining.

For over 30 years, Recovre (Marsh’s in-house safety, rehabilitation and return to work specialists) has been known as a leading Australian provider of customised workplace health & safety and workplace rehabilitation service solutions to help individuals and organisations realise their full potential.

For more information, or to arrange a conversation with the Recovre team, please contact your broker. 

Following a pandemic, companies have an opportunity to diagnose the effectiveness of their response, the causation behind any losses and identify what lessons were learnt. This can be valuable data that can inform the Business Continuity Plan, and better prepare an organisation for the next crisis that might occur.

Marsh Risk Consulting can conduct a  COVID-19 Debrief Workshop  and interviews with key staff to:

  • Identify and benchmark the overall effectiveness of the pandemic response;
  • Identify the causation of any losses and what was behind any decision making or if events were outside of your control; and
  • Make recommendations on lessons learnt and how these can be factored into future business continuity and crisis management plans.  

These workshops can be tailored to your organisation’s specific situation and needs. For more information, or to arrange a conversation with our Marsh Risk Consulting team, please contact your broker.

We are here for you

As COVID-19 continues to affect how we all do business and interact with one another, we are committed to continue to deliver timely and relevant information to our clients and broader community. If you have any questions or would like to have a conversation about the impact coronavirus is having on your business, please reach out to your Marsh representative. You can also  follow us on LinkedIn  to stay abreast on our latest updates. 

Resources and tools

  • Pandemic Lifecycle One-Pager
  • Pandemic Response Checklist

Download the Practical Guide to Returning People to the Workplace Safely

As the economy begins to reopen, how confident are you in your organization’s readiness for bringing people back to work? In this free guide, Marsh’s risk and safety professionals have drawn upon our extensive knowledge to identify immediate actions for your organization to consider as you prepare, implement, and manage a return to on-site work.

pandemic risk management plan for business

Related insights

Placeholder Image

Employee Wellbeing and Productivity

Office workers analysing data on tablets at a meeting

One Year Into the Pandemic: Business Interruption Claims Best Practices

Owner with face covering sitting at table in closed cafe or coffee shop, small business lockdown due to coronavirus.

Risk in context podcast: How COVID-19 has affected workers’ compensation so far

Placeholder Image

Risk in Context Podcast: Why We Need a Pandemic Risk Solution

  • Link copied

How to safeguard your business with COVID-19 risk management tactics

How to safeguard your business with COVID-19 risk management tactics

Multidisciplinary professional services organization

Show resources

Six risk management steps to move quickly, stay focussed and keep your business running during and beyond the covid-19 pandemic..

T he economic impact of the COVID-19 pandemic is nothing like anything the world has seen before. Time is of the essence to get a grip on this new kind of crisis. Business leaders need to show strong management and sound decision-making.

Previous experiences with crisis management can point where to start. By constantly identifying, prioritising, managing and responding to multiple risks companies can ensure their future. A solid risk management approach also helps companies safeguard the wellbeing of their people, clients and other stakeholders. It’s therefore key to have the right organisation, people and processes in place.

Usually a risk management life cycle consists of four stages: prevention, detection, response and mitigation. But this crisis forced companies to respond quickly, without hardly any time for prevention and detection. Yet, this crisis is still at an early stage. And it’s time to prepare for a long unpredictable journey. This includes thinking about the next phase: the gradual lifting of the confinement measures and the resumption of activities.

Here are six important steps to keep your business running at as high a capacity as possible:

1. Set up a crisis management task force

Managing a crisis requires governance and process management. For businesses to survive a crisis, they should always establish a crisis management task force first that directly reports to senior management.

The cross-functional team will have to focus on four core tasks:

  • Risk and response assessment
  • Monitoring, analysis and reporting
  • Crisis operation management
  • Communication

The task force can then function as a project management office (PMO) that will have to address workforce management and employee wellbeing, customer and brand protection, finance management, supply chain, and any legal and contract issues. There’s no one-size-fits-all approach. The crisis affects businesses differently and the focus per topic will vary for each company. Think about food retailers who had to deal with replenishment issues because of hoarding in comparison to fashion retailers that had to close their shops.

2. Identify current and emerging risks

In uncertain times a company faces multiple risks at the same time. It’s therefore important that, while you’re setting up a crisis management task force, you also initiate a first risk assessment. Make an inventory of all the current and potential risks. This will help to get a more realistic sense of what is happening and provide the task force with the fundamentals to manage the crisis.

Risk identification focuses on four categories that cover a wide range of business risks:

  • People: What risks exist to the safety of people, clients and other stakeholders? What could negatively impact employee engagement and motivation?
  • Financial business aspects: Will customers continue to buy and pay? What are the liquidity risks?
  • Supply and operations: Have you defined your supply chain and production risks? How are operational processes impacted?
  • Demand and commercial activities: How will demand disruption and shocks impact you? How have customer interactions changed?

3. Prioritise risks based on impact and likelihood

The next step is to evaluate and prioritise risks based on impact and likelihood. Risks that are very likely to happen and have a big impact need to be tackled first. Next come high-impact risks that are less likely to occur, followed by low-impact risks that will certainly happen. Low-impact risks that probably will never happen, get the least priority.

During a crisis people have a tendency to get overwhelmed and leap into action without consideration. Prioritising your risks will help to clear up the fog and stay focussed.

How EY can help

Strategy consulting.

EY-Parthenon professionals recognize that CEOs and business leaders are tasked with achieving maximum value for their organizations’ stakeholders in this transformative age. We challenge assumptions to design and deliver strategies that help improve profitability and long-term value.

4. Deciding on risk mitigation and the right course of action

Each type of risk requires a specific approach. Which responses are possible?

  • Reduce the likelihood  of the risk ever happening (risk prevention). This is the best course of action. For example, communicate extensively about an ample and continuous supply of basic products.
  • Reduce the impact  of the risk that will happen (preventive action), like building up stocks.
  • Prepare to cope with the impact , like optimising distribution of available products over different locations.
  • Develop a recovery plan  to repair the damage and ensure you are up and running as soon as possible. For example, organise a promotion for products that were previously out of stock.
  • Adjust for long term consequences,  if either the crisis persists or prepare for the next one. Learn and make changes for the future. For example, review your planning and forecasting process.

When faced with the mammoth proportions of this crisis, companies tend to fold back on their own organisation. Also look outside your organisation for support. Federal, regional and local governments, as well as industry organisations are setting up programmes. But also banks and even your clients and suppliers can help. Everyone is in the same boat. And if there’s one thing this crisis has shown us, is that anything is possible if people move away from the well-trodden path. Just think about supermarkets joining forces to deliver groceries to healthcare workers.

5. Plan, monitor, act, evaluate – Repeat

These are extremely volatile times. What is true today, may be radically different tomorrow. This means the risks and your responses keep changing too. Your first risk and response assessment is just the beginning. You’ll need structure and processes for the long-term management of the crisis. For each prioritised risk you will need to plan, monitor, act accordingly and evaluate as the situation keeps evolving. You basically need to set up an overall risk management programme with separate workstreams and dedicated teams per type of risk. That’s where your risk management task force comes in.

Priorities also evolve. The first priority was the safety of people, closely followed by cash management and cash flow optimisation. With the gradual lifting of restrictions, the focus will shift to supply chain and restarting operations.

6. Keep track of your organisation

In times of crisis people tend to switch to survival mode. Don’t lose track of the rest of the organisation and guarantee business continuity, including when you’re resuming business and new tasks emerge. The crisis management task force and programme are there to get a grip on things, so that rest of the organisation can continue with daily operations. Managing the crisis and its risks properly, also creates more time to see beyond the crisis and build resilience for a better future .

Having the right organisation, people and processes in place empowers your organisation to constantly plan, monitor, act on, evaluate and mitigate risks. Handling current and emerging risks with determination not only ensures the future of your organisation. A solid risk management approach also helps protect what matters most: the wellbeing of the people that are part of your organisation.

Reshaping results with crisis risk management

Thanks to solid risk management methodologies, an integrated team of EY experts supports companies in complex, critical or urgent situations to identify, prioritise and manage risk. Building trust and truly understanding our clients’ needs is part of our DNA. We therefore combine technical and functional expertise, underpinned by a strong commitment to excel for each client.

Discover the complete series of articles by following us on social media #CrisisManagement #COVID-19 #ReshapingResults.

Reshaping results

We help you respond to the challenges of COVID -19, providing trusted leadership in these urgent, critical and complex situations to help you recover and preserve value for a better future.

Newsletters EY Belgium

Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more. 

With the COVID-19 pandemic businesses face increased economic disruption and uncertainty. Creating a crisis management task force and solid programme to manage current and emerging risks is the key to a prosperous future for both the organisation and its people.

About this article

Connect with us

Our locations

Transparency report

Legal and privacy

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit

© 2020 EYGM Limited. All Rights Reserved.


This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

EY logo

Welcome to

In addition to cookies that are strictly necessary to operate this website, we use the following types of cookies to improve your experience and our services: Functional cookies to enhance your experience (e.g. remember settings), and  Performance cookies to measure the website's performance and improve your experience . , and Marketing/Targeting cookies , which are set by third parties, allow us to execute marketing campaigns, manage our relationship with you, build a profile of your interests and provide you with content or service offerings in accordance with your preferences. 

We have detected that Do Not Track/Global Privacy Control is enabled in your browser; as a result, Marketing/Targeting cookies , which are set by third parties that allow us to execute marketing campaigns, manage our relationship with you, build a profile of your interests and provide you with content or service offerings in accordance with your preferences are automatically disabled.

You may withdraw your consent to cookies at any time once you have entered the website through a link in the privacy policy, which you can find at the bottom of each page on the website.

Review our  cookie policy  for more information.

Customize cookies

I decline optional cookies


  1. Pandemic Planning for Business

    pandemic risk management plan for business

  2. COVID-19 business continuity plan: Five ways to reshape

    pandemic risk management plan for business

  3. Free COVID-19 Risk Assessment Template

    pandemic risk management plan for business

  4. Pandemic Risk Management vs. Realistic Enterprise Risk Management

    pandemic risk management plan for business

  5. Aon

    pandemic risk management plan for business

  6. Sample Risk Management Plan Free Download

    pandemic risk management plan for business



  2. Community Risk Management Plan 2040

  3. #risk in #business

  4. Why manage risk in projects?

  5. What is The Risk Management Plan creation

  6. Global Risk Consultants interviewed by RISKWORLDTV (part 2)


  1. Making a Risk Management Plan for Your Business

    It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management.

  2. Pandemic Relief Plans Are Ending Soon. Here’s What You Need to Know

    The COVID-19 pandemic has affected everyone across the globe in innumerable ways and in every facet of our lives — socially, mentally, economically, personally — and it continues to impact our day-to-day living in untold ways.

  3. Why Do Managers Plan?

    Business managers plan for several reasons, including to mark progress and achievements made along the way, to motivate themselves and employees to reach goals and to monitor financial status. Planning is essential for business managers in ...

  4. Pandemic and health event risk management

    On this page · What is a pandemic or health event? · Pandemic illnesses in humans and animals · Business continuity planning for a major health

  5. Risk management for businesses during the COVID-19 pandemic

    Any time you look at risk assessment, there are four basic questions to ask: Identify risks: what can happen? Determine probability of loss: how

  6. Coping with Coronavirus: Five Strategies to Mitigate Business Risks

    ... pandemic. Step 1: Readiness Assessments. A readiness assessment is a ... Management, Business Impact Analysis, Risk Management Plan and Readiness.

  7. Business steps to mitigate the effects of COVID-19

    The many other risks that your business faces aren't diminished by an epidemic.

  8. Pandemic risk management; protecting people while ensuring

    This containment strategy was not universally viable; long‐term shutdowns impacted the economic viability of companies, and some industries were designated as

  9. Pandemic Risk Management

    This will then inform the risks and opportunities in Clause 6, Planning. Top

  10. Risk Management

    Business continuity plans · Liability risk management · Pandemic rapid response advisory · Outsourcing work health & safety / workers compensation solutions.

  11. How to safeguard your business with COVID-19 risk management

    ... business running during and beyond the COVID-19 pandemic ... plan, monitor, act on, evaluate and mitigate risks. Handling current and emerging

  12. Business Risk Management in Times of Crises and Pandemics

    Mamdani-type assessment and prediction of the probability of risks of operating activities of enterprises. K. Kozhukhina and K. Costin (2019)

  13. Role of Risk Management and Standardization for supporting

    During the pandemic, there have been changes in the business process ... Journal of Business Continuity and Emergency Planning, Volume 15(1), pp.

  14. 7 Pandemic Risk Management Tips to Implement Now

    7 Pandemic Risk Management Tips to Implement Now · Appoint an emergency response team. · Backup your supply chain. · Tighten your security.