View The FTX Files

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to hello@titangrey.com.

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here.

Summary

The Threat

The single-most important takeaway regarding the Omicron variant of COVID-19 is its high rate of infection. As differentiated from the Delta variant and prior forms of COVID, the Omicron variant has arrived with swifter increases in case counts. The CDC has attributed this to: 1) higher rates of transmissibility of the virus variant itself; and 2) the variant’s evasion of immunity from prior COVID infection and/or vaccination.

Early data suggests that illness from the Omicron variant of COVID-19 may generally be less severe than that from the Delta variant or prior forms of COVID. This information, which has been widely disseminated, may inform a less risk-averse perspective in individual decision making with respect to the current COVID threat landscape. Nevertheless, any COVID-related infection of personnel, regardless of severity, requires active response, risk mitigation, management and communication.

The Omicron variant will pose a greater than expected threat to businesses at the start of 2022, brought on by its high rate of infection, potentially unmitigated by prior vaccination efforts and immunity generated by prior infection, and furthermore fueled by increased spread due to holiday travel, gatherings, and other behavioral factors.

Active Risk Management: Key Approaches for Business

The threat of the Omicron variant demands action on the part of business leaders and management teams. What follows is a select list of key considerations for businesses in response to the emerging and dynamic set of risks imposed by the Omicron variant.

Step 1: Key Dependency Mapping

In-Office Functions: Critical Workstreams Requiring Physical Presence

For many companies, certain critical functions can only be performed physically in company offices. From checking mail and parcel deliveries to performing tasks requiring the use of non-portable equipment, it is essential that businesses have a full understanding of their core office presence requirements.

Non-Resilient Functions: Persons Having Sole Competence In Key Tasks

Particularly in startups and emerging companies, it is common for certain key business tasks to be the sole domain of a single individual. It is essential for businesses to have an up-to-date list of all key tasks for which the business is dependent on one employee. When forming / updating such a list, it is wise for businesses to take adjacency into account, viz. understanding which other employee is best suited to perform each identified task.

Insight

Mapping exercises are best conducted using a two-step process:

1. Management-level top-down structuring; then

2. Unit-level bottom-up detailing.

Engagement of personnel at all levels of an organization’s chain of command in each business vertical is essential in gathering a complete picture of dependencies within the organization. In most cases, dependencies exist at the lowest level of function, far outside the knowledge and oversight of management stakeholders.

Step 2: Company Policy Updates

In order to best protect against the threats posed by the Omicron variant, companies should strongly consider adjusting internal policies and procedures. These adjustments must, of course, be specific to the unique nature of every company’s individual business requirements, abilities, opportunities, workforce composition, geographic footprint, industry segment, and a variety of other factors. These adjustments, likewise, should be made on a temporary basis, the duration of which should correspond with the best available information on the ongoing nature and risk level of the Omicron variant threat. The following represents a set of policy positions designed to reduce—to the greatest extent possible—risk posed by the Omicron variant to ongoing business operations:

• Shift to a near-term “Work From Home” (“WFH”) model to the greatest extent possible.

• Business units with critical responsibilities requiring an in-office presence should adopt a rotational schedule with only the minimum number of personnel required working from company offices at any time. Each unit should target a goal of one employee per office location per day.

• Key in-office tasks should be consolidated to daily lists for each in-office day. The staff members of each business unit having key in-office tasks should be cross-trained to perform tasks below, at and above their typical scope of duties. This represents an opportunity for junior personnel to gain experience and visibility into the roles and responsibilities of more senior staff, while likewise representing an opportunity for more senior staff members to demonstrate core leadership skills by “flexing downwards” into tasks usually beneath their role / level.

• In certain situations, it may be wise to cross-train staff members of related or “adjacent” business units to perform such critical in-office functions of the other unit or units, yielding further opportunities to limit the number of in-office staff required to cover all critical in-office functions.

• All personnel having sole competence in key tasks / business functions should, with their managers, create procedure documents and training materials (to the extent necessary) in order to create business unit resiliency in such areas.

• Institute key in-office safety protocols (with emphasis on legally required measures pursuant to relevant laws, rules, ordinances, etc.). Such measures should include mandatory use of masks when in-office, limiting personnel gathering in small spaces (e.g., elevator capacity limits, where feasible), closure of gathering spaces (e.g., staff lounges), sanitization of workspaces, and other key infection prevention measures.

• Suspend all business travel not strictly necessary for the continuity of business.

• Institute mandatory out-of-office periods following any travel by in-office personnel, with a requirement of a negative COVID screening prior to office re-entry.

• Create protocols and procedures for personnel to report both exposure and/or a positive COVID test result. It is critical that such procedures maintain the privacy of the personnel involved and limit access of identifying information to the greatest extent possible, and, in any event, in compliance with relevant laws / rules / regulations around the privacy of healthcare information.

• Create protocols and procedures for the external reporting of COVID exposure information to necessary third-parties as required by law, rule, regulation, contract or best practices (e.g., reporting to landlord / property management company re: in-office exposure). Staff members given responsibility under such protocols / procedures should be trained in order to provide necessary information while preserving business / personnel privacy as required.

• Assign roles and responsibilities to certain staff members to maintain the organization’s situational awareness of the ongoing Omicron variant threat. Responsibilities should include the intake, parsing and upstreaming of key threat-related information, developments in infection countermeasures, changes to relevant laws / rules / regulations / ordinances governing the organization’s conduct / COVID response, and other related information useful to managing COVID and Omicron-related risks.

Insight

Company messaging and employee training are essential to the success of any policy or procedure. Businesses must ensure that all personnel are aware of and have been given training in all new policies and procedures.

Step 3: Proactive Considerations

Protection: Masks, Sanitizers & Other Protective Equipment

With supply chain concerns presenting an ongoing concern as 2022 begins, companies should consider maintaining adequate stocks of key protective equipment such as masks, sanitizers, and other items of PPE relevant to their business needs.

Diagnostics: In-Home & Medical Testing Resources

COVID testing continues to present challenges for individuals and businesses in many locations nationwide within the US and worldwide. Businesses may consider providing employees with testing solutions in order to ensure access and minimize business disruptions.

Technology: Resources For Remote Collaboration

The need for seamless remote-work collaboration has been present since the dawn of the COVID-19 pandemic. However, with the onset of the Omicron variant, the ongoing nature of this need has been made clear. Companies should ensure that business units and employees are properly resourced to maintain productivity in what may be an extended remote-work scenario.

Information: Vetted Sources Of Risk Intelligence

Business decision making is only as effective as the timeliness and accuracy of the information on which it is based. Business leaders and management teams must ensure that critical information from reliable sources is readily accessible.

Protection: Respirator & Mask Types; Use Cases

The latest threat intelligence, at the time of this writing, suggests that cloth masks alone will be insufficient to adequately protect against the spread of the Omicron variant of COVID-19 due to its heightened transmissibility and observed increased rate of infection.3 4 The following reflects current guidance from medical / infection prevention authorities on best practices for use of respirators / masks in non-medical settings:

N95 Respirator

• Certified by US National Institute for Occupational Safety & Health (NIOSH).

• Bears certification markings re: NIOSH certification as N95.

• Features nose-bridge clip and head-loops (not ear-loops).

• Forms tight-fitting seal around wearer’s face.

• Provides adequate protection in high risk / crowded environments.

KN95 Respirator

• Certified under Chinese standard GB2626:2006.

• Bears certification markings re: KN95 certification. May also bear CE (EU standard) markings.

• Features nose-bridge clip and ear-loops.

• Forms tight-fitting seal around wearer’s face.

• Level of protection may vary (high risk of counterfeit / potential quality control issues).

Cloth + Surgical Mask

• Surgical or other disposable mask to be worn inside of cloth mask.

• Surgical or disposable mask should be made of multiple layers of non-woven material.

• Surgical or disposable mask should feature nose bridge clip.

• Combined masks should fit snugly, with no gaps and covering nose and mouth.

• Increased level of protection vs. cloth only; recommended if no certified respirator available.

Cloth Mask Only

• Not certified for protection against COVID-19.

• Should be made of multiple layers of breathable fabric and should allow visible light through.

• Should feature nose bridge clip and fit snugly, with no gaps, covering nose and mouth.

• Lowest level of protection of listed options.

• Should not be worn in high risk / crowed environments.

Key Considerations For Identifying Counterfeit Respirators

N95 Respirators

The CDC has become aware that counterfeit N95 respirators are being sold in the US through various channels. It is vital, when purchasing N95 respirators, to ensure that such respirators are genuine. Genuine N95 respirators will typically bear the following markings / characteristics: 

• NIOSH (properly spelled) name in block print or NIOSH logo.

• Approval number, beginning with “TC” and formatted “TC-###-####” (TC + 7 digits total).

• Brand name / make and model number of respirator.

• Filter class and efficiency level of respirator (e.g., “N95” for filter class “N” and 95% efficiency level).

• Does not appear on CDC list of counterfeit respirators.10

• Utilizes head loops; does not utilize ear loops.

• Does not bear any beading, sequins or other decorative embellishments.

• Does does not make any representations regarding use for children.

KN95 Respirators

Chinese customs authorities have become aware that counterfeit KN95 respirators are being exported from China and sold in international markets. While it is more difficult to ascertain whether KN95 respirators are genuine or counterfeit, genuine KN95s will typically bear the following markings / characteristics:

• Packaging must read “not a medical device,” “not for medical use” or similar.

• Must be in retail-quantity packaging and may not be in bulk packaging.

• Must not contain FDA logo anywhere, neither on packaging nor on respirator itself.

• May bear “CE” marking (EU conformity) accompanied by “EN149-2001 + A1: 2009” (technical standard).

• May bear “KN95” marking (Chinese standard) accompanied by “GB2626-2006” (technical standard).

• Must be accompanied by product certificate detailing name of product, name of manufacturer, technical standard, batch number, production date, warranty date and model specifications.

• Does not appear on CDC list of counterfeit respirators.

Diagnostics: In-Home & Medical Testing Resources

The increased likelihood of Omicron-related infections is expected to yield heightened near-term demand for COVID diagnostics. To promote employee health, ensure workplace safety and minimize business disruptions, employers should strongly consider deploying resources towards easing / facilitating access to critical testing and medical care resources for their employees.

• The current availability of testing resources vs. demand is swiftly approaching crisis levels. Reliance on public health options for diagnostics may subject employees and employers to potentially avoidable delays and disruptions.

• As applicable, businesses should engage their health insurance providers in discussions around what diagnostic and care options exist under the business’s existing coverage, and communicate internally to all employees specifically regarding the resources available to them under current company policies.

• Several diagnostics companies offer scaled COVID testing solutions for businesses of various sizes and scopes. Businesses should consider conducting market due diligence on solutions providers and evaluating the costs and benefits of purchasing a COVID diagnostics solution for employees.

• Businesses may also wish to consider engaging directly with suppliers for bulk purchases of at-home COVID tests for availability to employees, as supply shocks and other supply chain issues may hamper individual access to at-home test kits.

Insight

The surge in COVID cases related to the Omicron variant poses threats not only to employees’ physical health, but mental health as well. With reentry into stricter social and lifestyle restrictions (e.g., quarantine protocols, travel bans, etc.) looming large, it is vital that employers ensure that employees are taken care of in all facets of health. Positive company messaging is a key starting point. Companies should also engage with their health insurance providers and related resources to assess and potentially augment mental health options for employees (e.g., mental health appointments, EAP services, etc.). Finally, employers should engage employees in discussion around their concerns and take appropriate / viable steps to maintain positive company culture. Employers may choose supplement the aforementioned with enterprise solutions from the wide and ever-broadening marketplace of apps, programs, courses, and other service offerings focused on maintaining /improving individual mental health.

Technology: Resources For Remote Collaboration

Since the dawn of the COVID-19 pandemic, most, if not all, businesses have had to implement some form of “work-from-home” or remote collaboration processes. However, while these measures may have been viewed as merely a stopgap for a temporary period of disruption, the onset of the Omicron variant warrants a review of such processes, together with the technological solutions underpinning them, with a eye to long-term / more permanent use.

• The first and most critical step in technological resource planning is user engagement. With some level of solutions likely already in place, businesses should conduct end-user surveys across business units to gain an informed perspective on what works vs. what doesn’t.

• Technology-based solutions should focus on three key facets: a) remote meeting tools; b) project management and collaboration utilities; and c) remote onboarding and staff training functionality.

• The paradigmatic value in choosing technological solutions should be ease of use by end users. With employees having to learn a “new way to work,” the best and most effective solutions will be ones which employees face no issues with implementing.

• IT resources should be made available to end user employees on a real-time basis to ensure proper rollout. Employees should be encouraged to reach out to IT resources at the moment they encounter issues in order to prioritize enterprise-wide solutions over in-the-moment (and often problematic) workarounds. Rigorous end-user testing / piloting prior to purchase is preferable, if timelines allow.

• Prolonged remote work scenarios often yield heightened employee fatigue and “burnout” due to an overload of e-mail, chat, virtual meeting and other communications. Over-frequent communication can be pre-empted by proper and rigorous use of project management and collaboration resources such as working dashboards, issues logs, and other technology-based resources. Ensuring that use of such systems becomes a “sticky” experience and “first thought” approach for end users is key, and will, in many instances, require significant employee training, with specific emphasis on training for managers.

Insight

Involving end-user stakeholders in a solutions diligence / RFP process is a highly value-additive approach to properly resourcing a business for productive remote work. Management, in partnership with IT leaders, should deploy employee engagement exercises such as surveys, town hall meetings, breakout meetings, Q&A hours and similar forms of user engagement to gain a broad-based understanding of the scope and details of pain points, challenges and opportunities with respect to IT systems and resources. Management should then charge IT leaders with the mandate of compiling such data into key desired value propositions with a corresponding assessment rubric for use in a market due diligence / RFP process to evaluate proposed solutions and service offerings by third party vendors. Where possible, end-user testing and pilot programs may offer substantial supplemental value in the evaluation process.

Information: Vetted Sources Of Risk Intelligence 

As the threat posed by the Omicron variant of COVID-19 continues to shift and manifest in new forms, it will be vital for business leadership and management teams to stay informed on current developments in as close to real-time as possible. While this resource presents a crucial starting point, key information and corresponding risk management strategies and tactics will change as this threat evolves. Businesses must avail themselves of available risk intelligence and planning resources on as early a basis as possible.

• The ecosystem of laws, rules, regulations and ordinances from a federal, state and local perspective will be different for every business. It will be necessary for companies to connect with key external resources mapped to the specific jurisdictional geographies governing their respective business footprints.

• At the time of this writing, in the United States, there exists a lack of clarity regarding the intersection of federal versus state and local mandates regarding COVID-related risk management protocols and requirements. It is recommended that business leaders connect with relevant legal resources in order to best understand and plan for possible outcomes and compliance requirements.

• As potential compliance changes and updated requirements will affect employees directly, it is critical that business leaders engage their HR leadership in order to gain insight into how potential new mandates may affect workforce availability, employee sentiment and overall company culture. Proactive risk management and internal communication to employees will prove vital to positive outcomes.

• Businesses may also wish to consider engaging non-legal consulting resources to assist with risk management planning and solutions deployment.

Step 4: Key Resources

Official Communications & Authoritative Information

The following represents a selection of regularly updated key sources of Omicron risk information which may be consulted for further / ongoing threat assessment:

• CDC Omicron Variant – https://www.cdc.gov/coronavirus/2019-ncov/variants/omicron-variant.html

• CDC Workplaces and Businesses – https://www.cdc.gov/coronavirus/2019- ncov/community/workplaces-businesses/index.html

• CDC Travel – https://www.cdc.gov/coronavirus/2019-ncov/travelers/index.html

• US State Department Travel Advisories – https://travel.state.gov/content/travel/en/traveladvisories/traveladvisories.html/

• CDC Counterfeit Masks & Respirators – https://www.cdc.gov/niosh/npptl/usernotices/counterfeitResp.html

• US Department of Labor Coronavirus Resources – https://www.dol.gov/coronavirus

• OSHA Coronavirus Resources – https://www.osha.gov/coronavirus

• Vaccines.gov – https://www.vaccines.gov/

• US DOJ Coronavirus Response – https://www.justice.gov/coronavirus

• US EEOC Coronavirus Resources – https://www.eeoc.gov/coronavirus

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to hello@titangrey.com.

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here.

Introduction

Taking steps to ensure employee physical security not just in the workplace, but also commuting to it, is an essential component of a comprehensive business risk management program. In light of a recent uptick in street crime (robbery, larceny, assault, etc.) targeting individuals and personal property across several major cities in the United States, Titan Grey recommends that businesses revisit this topic area and implement certain key risk management practices in order to mitigate threats to employee safety and security.

Scenario

Major cities have generally seen an uptick in street crime over the last year. Our review of the New York City Police Department’s CompStat data indicated a 25% increase in robberies, a 23% increase in misdemeanor assault, and a 15% increase in felony assault over the period from November 2020 to November 2021. The impacts have been broadly felt in office-heavy zones, such as Midtown Manhattan and the Financial District. To the extent these crimes target individuals on their way to or from the workplace, there are follow-on effects which impact not only the individual, but likely the employer as well.

Companies should take a broad view of providing for employee safety and security not only in the workplace, but around the workplace as well. While workplace incidents certainly do pose risks for businesses, so too do incidents occurring outside of the workplace—for example, on employee commutes.

Risk Overview

Employee physical security is of primary concern, and employers should have a strong interest in providing enhanced protective measures for employees for this reason alone. Furthermore, employees commuting to work are also likely to be carrying with them certain items of company property, such as laptops, mobile phones, etc. Finally, physical materials containing company and/or client (as applicable) confidential information may also be present. The loss of these items in a robbery or larceny scenario create risk directly to companies’ business operations in several distinct ways.

Risks

1. Employee suffers injury requiring hospitalization and/or treatment which negatively impacts ability to perform job duties.

2. Crimes committed against employees causes decreased workplace morale and negative impact to company culture.

3. Public relations and headline risk related to news stories about employees being victims of street crime on way to / from work at the company.

4. Risks posed by commuting to work lead to employee unwillingness to commute to workplace (where workplace is back to hybrid or full-time in-office), and potentially to employee resignations.

5. Open and unaddressed risks related to commuting to workplace yield increased difficulty in hiring for hybrid or full-time in-office roles, compounding challenges in the current (at the time of this writing) market for employee recruitment and hiring.

6. Loss of company devices yields capital cost for replacements.

7. Loss of company devices yields opportunity for unauthorized network access, theft of data / confidential information, ransomware attacks, social media account takeovers, and other cyber threats.

8. Loss of company devices as a set (e.g., laptop, mobile phone, RSA key, etc. all belonging to a single employee) yields increased risk of circumvention of enhanced security measures (e.g., 2FA, etc.).

9. Loss of company physical materials can lead to malicious use and/or disclosure of company (and, where applicable, company’s clients’) confidential information.

10. Loss of company credit / debit cards can lead to unauthorized charges / theft of funds.

The above list is a highlight of significant risks and is non-exhaustive.

Mitigants

1. Companies may consider relaxing dress code policies when typical office dress (e.g., business formal) presents increased risk of employees being targeted for robbery / street crime.

2. Companies may consider expanding / implementing / re-implementing work-from-home or hybrid model work protocols during times of particularly increased risk (see below re: threat intelligence and monitoring).

3. Companies may consider advising employees to refrain from using items, particularly bags, which contain or display company logos / branding where such logos or branding present increased risk of such items being targeted for robbery or theft.

4. Companies may consider holding trainings for employees on maintaining situational awareness while in public / commuting, and other topical areas of physical security risk management for individuals.

5. Companies may consider providing shuttle services or security-accompanied walks to transit hubs and/or parking lots.

6. Companies may consider providing private transit home for employees working late in the workplace.

7. Companies should ensure that areas around company offices which are under the control of company (e.g., parking lots, open spaces, etc.) are well-lit, subject to security camera surveillance with no blind spots, regularly patrolled by private security, and subject to other appropriate security measures.

8. Companies may consider reaching out to local law enforcement agencies to hire official details of law enforcement officers to provide security at company sites during key times (e.g., at high-traffic retail locations during times of elevated crime risk).

9. Companies may consider standing up internal risk management / threat assessment business units to assess and manage the company’s ongoing risk exposure.

10. Companies may consider engaging directly with local law enforcement agencies for bilateral communication regarding threat assessments related to crime affecting the company and/or employees.

11. Companies should consider deploying policies and procedures with employee trainings regarding the reporting and management of crime incidents.

12. Companies may consider deploying an incident response hotline for employees which provides real-time, 24/7 response capability for the company in managing threats to employee safety, data security, protection of confidential information, and other related risks.

13. Companies may consider deploying an “on-call” system for key IT resources in order to enable real-time responsiveness to device theft, network breaches, data security, and related risks.

14. Companies may consider deploying software technologies which enable remote location tracking and disabling of company devices.

15. Companies should emplace and periodically test procedures for network and other asset (e.g., company credit / debit card) access denial and re-credentialing in the event of access compromise (by theft or otherwise).

16. Companies should have certain key personnel identified as points of contact for media inquiries related to risks facing the company (e.g., elevated crime risk) and message broadly within the company that media inquiries should be directed to such personnel only. Such personnel should be properly trained and advised from various business functions / units / resources (e.g., legal) on responding to such media inquiries.

17. Companies may consider emplacing resources to engage with employees who become victims of crime to ensure such employees receive the full benefit of all company programs and resources available to them (e.g., counseling, healthcare, etc.) should the employee wish to so engage.

18. Companies may consider providing assistance for employees in managing personal risks related to the employee’s loss of personal property, personal credit cards, personal devices, and other such items. Such assistance may include the inclusion of certain insurance products as part of standard employee benefits programs.

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to hello@titangrey.com.

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here.

Scenario

Coronavirus Disease of 2019 (also known as “COVID-19”) is, at the time of this writing, a matter of global concern. Emerging in Wuhan, China in late 2019, the disease has spread rapidly and presents a threat to businesses worldwide and the global economy as a whole.

Basic Facts About COVID-19

• Human-to-human transmission is via airborne droplets resulting from coughing by infected individuals.

• If these droplets land on a surface, the virus can survive on the surface from a few hours up to several days.

• Symptoms of COVID-19 include fever, fatigue, dry cough, sneezing, runny nose, sore throat, and shortness of breath, among others.

• Roughly 80% of those infected recover from the disease without requiring special medical care.

• Those most at risk for developing critical cases of COVID-19 are young children, the elderly, and those with pre-existing medical conditions.

• As COVID-19 is a viral infection, antibiotics are not an effective remedy.

• Though research is underway, there is presently no vaccine against the COVID-19 virus.

• At the time of this writing, there are over 83,000 global cases of COVID-19, with 2800 of them being fatal.

• While cases of COVID-19 are presently concentrated in Asia, experts assert that it will inevitably spread into the US.

For further information on COVID-19, please consult the CDC’s FAQ page, as well as the WHO’s Q&A page.

Risks, Details & Mitigants

COVID-19 has the potential to impact US & international businesses in a variety of ways–some milder and some more severe. For each impact, however, businesses have the opportunity be proactive and take steps to manage risk before it affects their business. What follows is a non-exhaustive list of the ways in which businesses may be affected, and how the effective deployment of risk management protocols and techniques may mitigate or prevent adverse consequences:

RISK: COVID-19 spreads into your country / countries of operation, and attempts to contain the outbreak cause disruptions to daily life.

DETAILS: Disruptions may include shutdowns of public transportation, shortages of foodstuffs and other living necessities, overload at medical treatment facilities causing delays in access to care, etc.

MITIGANTS: Businesses should develop full continuity plans, including deploying remote working capabilities for all critical employees when possible. These plans should also include stepped-up procedures for office cleanliness, including the deployment of supplementary cleaning products and services throughout their facilities. Businesses should furthermore advise employees to prepare for disruptions by maintaining supplies of non-perishable food and sterilization products (e.g., hand sanitizer, cleaning solutions or wipes, etc.) at their homes. Businesses should likewise inquire with their health insurance providers as to whether their plans include some form of “virtual doctor’s appointment” or other such capabilities, and consider putting such a capability in place via a third-party vendor if no such option is provided by their insurance provider.

RISK: One or more of your employees become infected with COVID-19.

MITIGANTS: In addition to sick leave, businesses should deploy remote-working capabilities whenever possible. Furthermore, and in accordance with their business continuity planning endeavors, businesses should inventory critical tasks and upcoming deadlines along with the employee assigned primary responsibility over the task or deadline, and further designate one or more employees as secondary coverage if the primarily responsible employee becomes ill.

RISK: One or more third-parties fails to meet one or more commitments owing to disruptions related to COVID-19.

DETAILS: Even if your own business goes unaffected by COVID-19, other individuals or entities on whom / which your business relies may be adversely affected. Whether it’s a client, vendor, or some other third-party, a disruption in their locality or spread of infection within their business may adversely affect their ability to render service or meet commitments to your business.

MITIGANT: Enacting high-level third-party risk management—a specialized subset of overall business risk management—is a crucial element of creating operational resiliency within businesses during times of uncertainty and potential instability.

RISK: Shipping concerns disrupt national / international supply chain.

DETAILS: While global health authorities have represented that there is relatively low risk of COVID-19 infection from exposure to ordinary commercial goods shipped from jurisdictions where COVID-19 is present, global supply chains may nevertheless be disrupted by interruptions of an ordinary business environment for source countries and at other critical shipping locations.

MITIGANT: While the potential for and locations of disruption(s) are difficult to predict, businesses may implement various supply chain resiliency techniques to ensure that their own ability to do business is less affected by global disruptions.

RISK: Business travel destination(s) become affected by COVID-19 outbreak(s).

DETAILS: China—a major business travel destination by professionals in a variety of fields—is the epicenter of the global COVID-19 outbreak. However, other countries, such as South Korea, Japan, Italy and Iran, have recorded significant rates of infection at the time of this writing. Cases have been reported on every continent with the exception of Antarctica, and expects predict that, at the time of this writing, infection rates will continue to rise globally in the near-term.

MITIGANTS: Throughout the course of the COVID pandemic, businesses should avoid employee travel to high-risk areas at all costs. Before any upcoming business travel, businesses should check the COVID-19 status of destination countries on health authority websites, such as the CDC’s Travelers’ Health site. Where possible, businesses should arrange for teleconference or video-teleconference capabilities to be on-hand in case of cancellation of business travel due to COVID-related risk.

RISK: The global economy undergoes recession as a result of COVID-19.

DETAILS: Many economists, including Mohamed El-Erian and Nouriel Roubini, are predicting that a sustained global recession may loom large due to the potential effects of the global COVID-19 pandemic. While a rate cut by the US Fed may be a near-term possibility, it would do little to right the fundamental issues behind the COVID-19-fuelled pullback across global markets, according to Tom Porcelli (Chief US Economist at RBC Capital Markets).

MITIGANT: Finance teams within businesses must anticipate and plan for the impact of an increasingly possible global recession in 2020 as a result of COVID-19.

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to hello@titangrey.com.

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here.

Scenario

In August 2011, Boeing Commercial Airplanes, a subsidiary of Boeing, announced the launched of its new 737 MAX aircraft as the fourth generation of the 737 line. Initial deliveries of the aircraft took place in May of 2017, and the plane entered commercial service shortly thereafter. Among the first passenger carriers to run the 737 MAX commercially were Lion Air, of Indonesia, and Norwegian Air, of Norway. Within a year of its launch, 130 737 MAX aircraft were delivered to 28 Boeing customers, and in total 387 aircraft were eventually delivered.

On 29 October, 2018, a Boeing 737 MAX aircraft operated by Lion Air crashed thirteen minutes after takeoff, killing all 189 aboard. The incident was widely reported by various media outlets at the time. Initial reports targeted a malfunctioning flight-control system which had to be disabled in order for the aircraft to function properly. Responding to the incident, Boeing issued guidance on its operational manual to advise airline pilots regarding procedures for handling so-called erroneous cockpit readings.

On 10 March 2019, a Boeing 737 MAX aircraft operated by Ethiopian Airlines crashed six minutes after takeoff, killing all 157 aboard. Like the Lion Air incident from the year prior, the Ethiopian Airlines crash was widely reported. Coverage reported that the incident was similar to the Lion Air incident.

Though initial investigations into the incidents could draw no official conclusions regarding Boeing’s aircraft or systems, findings pointed to Boeing’s Maneuvering Characteristics Augmentation System (“MCAS”) as the likely culprit. The system, which Boeing did not disclose its 737 MAX pilot manual or in its supplementary directive after the Lion Air crash, was allegedly commanding the plane’s flight systems to repeatedly dive, based on erroneous systems data.

Between 11 and 16 March 2019, aviation regulators in countries across the world–including the US, Canada, China, Brazil, India, and others–issued grounding orders for all Boeing 737 MAX aircraft.

Since the grounding of the 737 MAX, investigations into the two crashes and issues with the aircraft have increasingly focused on Boeing’s deployment of MCAS as the primary culprit. Assessments and testing from a variety of sources within multiple investigations have raised issues with the way in which Boeing designed, developed and deployed MCAS, as well as its lack of training and education of pilots and crews on the system’s existence within aircraft, when it would engage, and what to do in case of its malfunction.

On 4 April 2019, Boeing publicly acknowledged that MCAS played a role in both the Lion Air and Ethiopian Airlines crashes of the 737 MAX.

On 18 October 2019, multiple news outlets reported that in 2016, prior to the safety certification and release of the 737 MAX, Boeing’s chief technical pilot for the 737 program had warned a colleague about MCAS, specifically pointing to issues unearthed in post-crash investigations. While, in the wake of the crashes, Boeing officials had maintained that MCAS was not designed to activate within the “normal flight envelope” of the 737 MAX and therefore its exclusion from the standard operating manual for the aircraft was warranted, the 2016 internal messages specifically highlighted that MCAS was erroneously engaging itself. The messages go on to indicate that, in 2016 or prior, the US Federal Aviation Administration (FAA) may have been supplied with inaccurate information regarding MCAS. Nevertheless, in 2017, the very same Boeing pilot, again communicating the FAA, requested that all mentions of MCAS be removed from the plane’s operating manual because its operation was outside of the plane’s normal envelope. Going further, the Boeing pilot proceeded to engage in inappropriate discourse with the FAA regulator on the subject of obtaining regulatory clearances from other regulators for the 737 MAX.

Boeing turned over documents related to these communications to regulators and to Congress on 17 and 18 October 2019, allegedly months after first discovering them.

Upon receipt and review of the documents, members of Congress made public statements about what they deemed to be a pattern of troubling conduct by Boeing.

Gaps In Risk Management

Independent Escalation Channels – Boeing’s development team for the 737 MAX had knowledge of the issues with the MCAS. However, it is unclear whether any reporting mechanism existed for members of the team (e.g., engineers, test pilots, etc.) to report such issues to oversight resources outside of the 737 MAX’s direct value chain (i.e., officials and / or at Boeing whose success was not tied directly and exclusively to the marketing and sale of 737 MAX aircraft). While knowledge of the ultimately disastrous MCAS failures was present within Boeing long before the first 737 MAX was delivered to a customer, it was contained in isolated pockets, hidden from the view of senior management at the corporate level whose success is tied to the overall health of Boeing as a company. While some concerned members of the 737 MAX development staff may have wanted to communicate their concerns upwards, and while senior management may have wished to hear their concerns, the communication channels simply did not exist. Instead of reporting concerns to a unit or personnel with proper oversight authority, engineers at Boeing were instructed to take their concerns to business unit managers, as reported by the New York Times. However, with their success tied directly to sales of the 737 MAX, business unit managers had strong incentive suppress the identification of safety risks and prevent escalation of same to members of senior management. In the wake of the 737 MAX situation, Boeing has indicated that it has adopted clearer escalation channels from engineers to neutral oversight personnel, including the company’s senior management.

Independent Safety Oversight – Boeing lacked an independent internal organization charged with ensuring product safety. At a firm of the size of Boeing, producing products (i.e., aircraft) which have the potential to be deadly in the event of failure, an independent unit should exist as a check on commercial business units such as development, manufacturing, marketing and sales. The success of such a unit should not depend at all on sales of products, but rather on the safety of those products at time of sale and beyond. In the wake of the 737 MAX situation, Boeing has announced the creation of such a group within the company.

Employee Communications Monitoring – It is unclear whether Boeing had a function in place to monitor employee communications. As with all public companies, however, it should. Monitoring of employee communications over company-provided systems (such as e-mail, instant messenger, SMS on company-provided phones, etc.), coupled with a general policy and enforcement program that all company business be conducted solely over those company-provided, and not personal, communication systems, is a crucial arm of risk management in an era in which employee communications are a major driver of risk. Near real-time monitoring of employee communications by a unit of Boeing’s compliance group would have alerted senior management to ground-level issues with MCAS in parallel to–and as a backstop to–internal reporting and escalation of the issue from engineering or other staff.

Regulatory Affairs Oversight – While a debate rages on as to whether the FAA has fallen victim to so-called “regulatory capture” by firms such as Boeing, it is nonetheless crucial for the successful, comprehensive management of risk that all communications by a company’s personnel with regulators be not only monitored, but centralized and streamlined through a single source, such as an internal unit overseeing regulatory affairs. In instances such as this, where the specter of impropriety looms large over conduct by Boeing employees and, possibly, the FAA, it is essential that companies are able to manage their official positions on issues facing regulators and are furthermore able to deliver consistent messaging from all personnel involved. While Boeing, in this case, may be able to blame one or more rogue actors for the impropriety with respect to certain FAA-related issues, the company would do itself no favors in the eyes of its regulators, world governments, its customers, its investors and the general public by claiming to have little power to govern the conduct of its employees. Additionally, the FAA’s approval of the 737 MAX has not served as a significant line of defense against Boeing’s liability for its aircraft’s failures, owing partly to the relationship its staff (such as the chief technical pilot) enjoyed with members of regulatory staff. The surfacing of inappropriate communications between members of Boeing and regulator staff has only stoked the fire of governmental concern over Boeing and the regulatory framework meant to govern its conduct.

Costs & Impacts

Financial – Boeing has experienced catastrophic financial losses in the wake of the evolving 737 MAX situation, having posted a company record loss of $2.9 billion USD for Q2 2019. Its market capitalization, as of August 2019, has fallen by $62 billion USD, on the back of a 25% erosion in share price. Overall, the halt of sales and impending cancellation of orders may cost Boeing roughly $600 billion USD.

Business Position – Boeing has seen fit to postpone development of at least one critical project (the Boeing New Midsize Airplane) and is reportedly considering staff reductions as of Q3 2019. Following the grounding of the 737 MAX, Boeing has suspended all deliveries of the aircraft to customers and slowed its production schedule (financial impacts of which are noted above).

Brand Equity – While multiple crashes and a global grounding of the 737 MAX fleet may have been sufficient to critically damage the public’s trust in Boeing, later evidence pointing out that the company knew of the issues giving rise to the crashes and buried them only further stokes the fire. Numerous polls have indicated that the public has lost its trust in the 737 MAX, and with recent evidence coming to light about Boeing’s practices, the same may well be said of public trust in Boeing itself as well. Serving the needs of the general public, airline customers of Boeing will face increased scrutiny and pressure on their dealings with the company, impacting Boeing’s ability to sell its products across the board.

Criminal Investigation – At the time of this writing, Boeing and certain individual employees may face criminal prosecution in connection with the 737 MAX crash incidents.

Civil Litigation – Boeing now finds itself the target of civil litigation from a variety of sources, including pilot groups seeking compensation for lost wages, crash victims’ families seeking compensation for wrongful deaths (potentially including punitive damages), and others. At the time of this writing, the total outcome of the global 737 MAX litigation is yet to be known.

Regulatory Pressure – Boeing will likely face significantly increased regulatory scrutiny across the globe as trust in the company and its practices has been eroded by the 737 MAX crashes and their aftermath.

Key Takeaways

1.  Companies must designate certain personnel or units as managers and overseers of risk, with their success directly tied to safety and effective risk mitigation instead of sales and other commercial metrics. Companies cannot rely on commercial units (e.g., sales, marketing, etc.) to manage risk. With the success or failure of these units being tied directly to the sales performance of their managed products, these units are inherently disincentivized from reporting issues which may imperil sales and are not likely to serve as effective mitigants of risk.

2.  Companies must ensure clear and independent lines of communication between ground level staff and those personnel and / or units designed to manage risk. Staff members in product development, sales, marketing and a variety of other functional groups must be able to communicate clearly and confidentially with risk managers in order to effectively relay concerns without fear of reprisals or dismissal.

3.  Companies must institute policies, procedures and technological capabilities in order to be able to effectively monitor employee communications in real-time or near-real-time. Failure to monitor employee communications robs companies of their opportunities to manage risks borne out of the behavior of rogue actors. Assigning blame for corporate malfeasance to rogue internal actors ex post facto is not an effective strategy. Instead, companies must own the risk that their personnel may act against the best interests of the firm and effectively manage incidents as they are occurring.

4.  Companies with regulatory exposure must institute policies, procedures and top-down governance over corporate communications with regulators. While in most cases, a regulatory communications function serves to manage regulatory relations and minimize the risk of incurring penalties or enforcement actions, in some cases, its purpose may be to detect regulatory capture and therefore ineffective regulation. While ineffective regulation may not seem, at first, to be a risk for regulated businesses, for businesses without strong regulatory affairs units, it may present itself as an invitation for corporate misconduct, as evidenced above.

Conclusion

Companies should be proactive about risk management and conduct broad risk assessments on a regular basis. Such assessments should monitor for threats across strategic and tactical vectors. From broad-based standpoints such as ensuring clear and independent reporting lines, to granular measures such as monitoring high-risk employee communications, risk management efforts must be comprehensive. Finally, it is vital that key stakeholders up and down a company’s chain of command “buy in” to the importance of risk management and participate in the process in a transparent and cooperative manner. It is incumbent upon company leadership to ensure that a “culture of risk awareness and management” is present at all levels of the organization.

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to hello@titangrey.com.

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here.