As the swine flu pandemic monopolised international news headlines and governments bulk-bought vaccine, companies across the world prepared themselves for the worst. Thankfully, the worst has not materialised, but lessons can still be learned, says Tony Dowding

So how was it for you? The swine flu pandemic? A bit of an anti-climax? Well, the consensus from many risk managers appears to be that the snow and freezing conditions in large parts of Northern Europe at the start of 2010 caused considerably more disruption than swine flu.

Of course, the flu pandemic may not be completely over, but it does seem as though we are through the worst of it, with the UK and French governments, for example, reportedly planning to offload swine flu vaccine, either by selling it or giving it to developing nations, although a stockpile will be retained in case there is an upsurge in cases, or the virus mutates.

Cases of swine flu have fallen dramatically and are said to be below even the levels normally seen for winter flu. All of which is a far cry from the predictions earlier last year, when reports suggested that more than 60,000 people in the UK alone could die this winter as a result of swine flu. To date, less than 400 people have died in the UK, according to the Health Protection Agency, and global deaths attributed to swine flu are currently around 14,000.

Corporate planning

But back in early 2009, with governments and global organisations such as the World Health Organisation (WHO) predicting a major pandemic, companies had to be prepared for the worst. Scott Nicholl, senior consultant at Aon Global Risk Consulting, said that most medium sized and large client companies did have something in place. “Clients that had some experience of SARS in 2003 or some sort of Far Eastern dependency, facility, or office, would have already picked up on this. In the UK, it was in 2005 that this became a headline issue with bird flu, and there was a lot of media coverage, and certainly an element of scare-mongering.”

As a result, he says, there was an initial peak of interest, which quickly died a death, as it didn’t seem to have the sort of far-reaching implications that were first being talked about, and so up to 2009 pandemic planning was kept on the back burner. “People were still aware of it, and continuity managers and risk managers were still talking about it, but it wasn’t as big an issue as it had been,” says Nicholl. “Then in 2009, swine flu brought it back to the forefront again, and plans from 2005 were dusted off and refreshed, and there was another surge of interest.”

Tim Cracknell, head of risk consulting, Global Risk Solutions, Jardine Lloyd Thompson Limited, says that many medium-sized and larger firms developed plans, “in some cases from scratch and others built on any existing SARS or bird flu plans. Those with more a mature business continuity management (BCM) approach were able to operate within their current BCM frameworks, such as financial services, while those with higher vulnerable groups, such as the caring profession, paid closer attention to matters. However, broadly, this was an issue that had to be faced across the spectrum and some prepared well and others more superficially.”

Key areas

Several key areas seem to be covered by the majority of plans, according to Nicholl. Firstly, there was initiating business continuity arrangements with a heavy emphasis on staff communication, making sure that people are aware of procedures regarding flexible working, being able to stay at home, or if staff are going to come into the office, increased personal hygiene procedures.

Also, many plans cover travel restrictions and quarantines while the pandemic is at its peak, says Nicholl. “At the more severe end of the spectrum, which we didn’t in fact see, there would have been plans around workplace contamination and closure. And making sure that people who are critical to the business are able to get to work quickly, and have access to whatever they need to perform their function,” he says.

A lot of plans also dealt with services that one would expect to be delivered by local or central government, such as public transport, security, policing, emergency services, and the possibility that such services might not be available or only available on a very prioritised basis. And many plans looked at making provisions for helping people to get to work where local transport was not working as normal.

“If there are critical functions that you need to maintain, and they were client-facing,” says Nicholl, “then a lot of plans emphasised that people that had been off and made a recovery and were returning to work would have some sort of immunity to further infection, so these people could be utilised to be the ones that were exposed to the public.”

Needless to say, many of the plans were untried or never put into practice. But, says Cracknell, testing was the best way in which effectiveness could be measured. “Some organisations did various levels of testing, but with greater focus on the first few days rather than large swathes of staff being affected. Some businesses decided that their third party work-area recovery sites would not be used on the basis that the illness could just as easily occur at, or be taken to, those premises and therefore a ‘send home/quarantine’ approach, along with deeper office cleaning, led generally to decisions that current work locations would be used.”

Case studies

Different companies in different sectors took different approaches according to their perceived exposure. Julia Graham, chief risk officer of law firm DLA Piper, says that they had a plan pre-2009, driven by SARS in Asia where the firm has offices, and then by bird flu. “Swine flu drove a fresh risk assessment and a comprehensive re-write of our plans,” she says, “and we have plans at strategic, regional and local levels.”

The strategic plan was invoked early in 2009. “We have been maintaining a pandemic intranet site which has a high profile on our firm-wide intranet home page supported by regular firm-wide newsgrams, says Graham. “We are just about to stand this down to our regular risk site but it can easily be escalated again as required - we don't want to cry wolf, by keeping a high profile when in many eyes the risk has diminished. This approach means that we remain prepared but just adopt a lower profile.”

She says the plans ensured that people knew what the firm's policy was, who to contact and how, and a regular pattern of communication was quickly established “which gave a sense of control across the firm and comfort to the board, to whom I reported throughout.”

Looking ahead, Graham says that “disease remains a strategic risk and as such remains on our strategic risk register and radar. This said, we learned a great deal about the current pandemic and modified initial plans - largely in line with experience from businesses in Australia. I particularly like the way the Australian government and medical agencies reacted.” She adds that the firm is now redrafting its pandemic plan framework.”

For Gary Marshall, group risk manager, of printing firm The Polestar Company Limited, it was initially about assessing the risk. “We had plans in place for pandemic risk going back some years to 2005, around the time of bird flu,” he explains. “We were starting to talk to customers about security of supply and what that meant in terms of carrying on our business in the event that any given set of circumstances resulted in a proportion of the workforce being unavailable.”

He explains that the firm only needs about 40% of the workforce to print in any given 12 hour shift. “Over a two week period, with a bit of extra time put in, we could probably get by with 60%-70% of the workforce,” he says. “That was in the area of the worst case scenario that experts were talking about – about a third of the workforce being hit. So we were reasonably relaxed about this aspect. We were probably more concerned about suppliers and supplies, and the possibility that we might have nothing to print, because the entire editorial team of a publication might go down with swine flu, for example.”

For others, there was a greater need for contingency planning. Kip Berkeley-Herring, group risk manager, BT, points out that under the terms of the UK Civil Contingency Act 2004, BT has a legal obligation to co-operate with Category 1 ‘Blue Light’ (emergency) services and other Category 2 responders by sharing information relevant to planning and responding to incidents or emergencies impacting the UK. “This is achieved by BT’s attendance at national, regional and local resilience forum meetings known as ‘Strategic Coordination Groups’,” explains Berkeley-Herring.

BT has a dedicated swine flu intranet site, and as part of its contingency planning arrangements, BT has produced regularly updated guidance for employees. This guidance includes advice on a wide range of issues related to swine flu, from what to do if you have swine flu symptoms (stay away from work until symptoms pass) to business travel (travel within the UK and other countries is generally not restricted, although BT has advised its people to minimise all long distance air travel). BT has also distributed hygiene packs containing face masks and alcohol-based wipes to engineers who work in the community and do not have easy access to washroom facilities.

The future of pandemic planning

One problem that the various crises such as SARS and swine flu have highlighted, is that continuity planning had been too heavily focused on asset protection. “A lot of organisations would have still worked on the traditional assumption that some sort of continuity plan was primarily in place to cover the interruption from the loss of a tangible physical asset,” says Nicholl. “They probably weren’t great at figuring out that although the asset may be OK, they potentially don’t have any people to use the asset or system or run the process.”

He adds, “The key challenge for pandemic planning is to make sure that the traditional assumption about the loss of a physical asset doesn’t become the foundations for the plan itself. It needs to be widened out to recognise the fact that we might be dealing with a loss of human capital rather than a physical asset.”

The lack of a major pandemic, despite all the dire warnings, could be a cause for concern, says Nicholl, “because if you read some of the information from quite influential bodies such as the World Health Organisation or the Centre for Disease Control in the US, the message is that it is not a case of ‘if’ it will happen, but ‘when’ it will happen. The more times that you have the 2005 experience or the 2009 swine flu experience, people will still think that there is a lot scaremongering and that it will never actually happen. That could cause problems in the future if there is a true pandemic, creating a sense of false security.”

Cracknell points out, “If anything, there is a risk of ‘cry wolf’ for those organisations that were not significantly affected by SARS, avian flu and swine flu. The next pandemic illness of concern could be taken a lot less seriously and actually prove to be the most fatal.”