COVID-19 Security Response Tactics and Strategies to Consider for Business Resumption Plans

Return to Program Best Practices
Created by Dan Sauvageau, SEC Subject Matter Expert.

Many security departments are currently busy focusing on the immediate needs of managing their COVID-19 response plans, assessing their resources, evolving their tactics, and fielding questions from employees, executives, and other stakeholders. Some may have not had the time or opportunity to think about what the next two, six or twelve months may look like or what measures they should consider taking when officials allow non-essential businesses to open and employees return to work. With some countries already starting to slowly end lockdowns and the U.S. government's three phased re-opening plans recently announced, now is the time for companies to get into high gear with their next phase of business resumption plans. In the spirit of helping our community to "see around the corner," the SEC is taking the opportunity to share thoughts and ideas that security teams may want to consider as part of their near- and longer-term strategic plans to manage through the COVID-19 pandemic and beyond.

This is a critical time for Security to rise to the occasion to assist their company in managing this crisis and demonstrate their value over the long term. This can be done by demonstrating their considerable crisis management experience, talents, and 24x7 presence, leveraging their tools, delivering excellence, and offering creative solutions to novel problems to keep a company safe, secure, and successful.

Realizing that companies vary in industry, size, location, layout, and resources, some of the suggested items below may prove more or less challenging for some than others. Also, given the dynamic nature of the COVID-19 virus and fluid recommendations and guidelines coming from local, state and federal agencies, the security department should work closely with its internal stakeholders in HR, Facilities, Safety, Legal, Corporate Affairs and specialized licensed health care experts before implementing specific measures. These functions are also best positioned and informed to adopt measures and controls that best fit their corporate culture and risk appetite. As the company quickly evolves from a response to recovery mindset, it should be prepared for the numerous yet unknown challenges in the weeks and months ahead. It is time to move beyond the tactics, see through the fog of the battle, and be strategic and creatively flexible in one's planning process. Think of it like a COVID-19 employee return experience where all aspects of returning to one's place of business are clearly thought out, risks carefully assessed, action plans made and communicated, and done with unprecedented teamwork and collaboration amongst business functions.

The centerpieces of the planning process are trust, transparency and the health and wellbeing of all employees, both in the words and actions of a corporation. Maintaining those three focal points should go a long way to engaging employees for the challenges that lie ahead and enabling security teams to be successful.

The suggestions outlined in this document fall into five general categories:

  1. Preparing for re-entry
  2. Re-entry logistics for employees, vendors, and governance considerations
  3. Ways to best leverage security teams and their tools
  4. Staggering the workforce and staging the workplace differently
  5. Post-business-resumption risks and preventive measures

Well-resourced and robust security functions will likely have documented procedures and guidelines for re-entry and business resumption well underway, while some may have not yet started. The suggestions outlined below may be helpful for both groups as they are meant to stimulate the thought process and accelerate discussions between security and their business partners.

1. Preparing for Re-Entry
There are many things for a company to consider prior to re-entry to its workplace, but arguably one of the first is how to do so in as safe a manner as possible for all employees. The term "employee" is used to broadly cover employees, contractors, interns, or anyone who accesses the workplace on a routine basis. Once plans are solidified for the employees' safe return to the workplace the company can focus on undertaking the necessary longer-term efforts to mitigate the risks of a further business disruption or closure due to a possible future virus outbreak. Local, state, and federal government guidelines are the first ones to consider when moving to a phased business re-opening, but such guidelines are designed to be general and for a diverse set of industries and institutions. Government guidelines will lack the specificity that companies will need to fit their unique business requirements, workplace environment and culture. Government guidelines are also meant to be the minimum requirements or hurdles to overcome; a company always has the option to do more and go above and beyond to ensure the safety of their employees while regaining momentum for its business. Employees will count on and expect their companies to do everything possible to ensure their safety in the workplace or while on company business, and companies have a duty-of-care responsibility to not let them down.

Symptom screening - Aside from the myriad of reactionary company policies and practices developed by companies thus far into the crisis, symptom screening of people prior to returning to the workplace is a logical first step to consider. The objective is simple - keep the infected out to avoid further infections; however, the means to do that are complex. A company has many options to consider when it comes to screening its employees. Here a just a few approaches that some companies are doing or considering:

  • Employees take their own temperatures and answer CDC or appropriate government health official COVID-19 symptom questions at home - before coming to work.
  • Employees take their own temperatures and answer symptom questionnaires upon arrival at work, which are then validated/supervised by a designated person(s).
  • Designated, trained, and properly equipped company employees perform the screening at the entrance to the workplace.
  • A subcontracted licensed, qualified healthcare provider performs all screenings at the entrance to the workplace.
  • Employees answer other symptom questions before arriving at work, and thermal cameras installed at designated entrances read temperatures of people as they enter, followed by other measures.
  • Any combination of above

If a company chooses to have its security staff perform screening and temperature taking of employees, vendors or visitors, the staff should be properly trained and equipped with CDC recommended PPE and would be well advised to only perform that work under the direction of competent and licensed medical health care provider. This option also comes with significant other risks and challenges that should be carefully considered by all company stakeholders.

If screening is done in the workplace, stations and queues may be set up to allow for social distancing and, where necessary or practical, with separate entrances for employees, vendors and visitors to facilitate throughput and allow for social distancing and some degree of privacy. Ultimately, a building's size, configuration, population, and use will determine what approach works best, and one should expect to modify their approach through some amount of trial and error. Security is typically well positioned with the access history tools, data and experience to estimate "normal" volume throughput in pedestrian entries to help inform decision makers on what approach makes the best sense for them.

A company may also ask their healthcare provider experts if two levels of temperature tests are prudent - infrared followed by a secondary, more precise temperature screen to minimize false positives. A trained, equipped, and experienced healthcare provider will know the best practices to employ and should be consulted. Security and their business partners should, however, be part of the planning process to assist the healthcare provider by understanding the business environment, organization, and its culture to allow for a streamlined, positive employee experience. Healthcare providers that offer such services are already being placed under contract or will be in extremely high demand as more companies develop return to business plans. The SEC suggests that security teams conduct their own due diligence and needs assessment when determining what health provider is best suited for them.

Secure internal web portal for incident tracking - Keeping track of individuals who have been out of work with symptoms, confirmed cases or quarantined from recent travel can be a daunting exercise for a company, especially one with thousands of employees. A secured, database-driven portal could be set up and made available to employees to self-report updates on their conditions or changes in health (e.g., recovering at home, in hospital, elapsed quarantine time, more recovery time needed). Professionally trained HIPAA HR staff or others could manage the portal and act accordingly on the information collected. As previously noted, Corporate Legal and/or HR would be important stakeholders to ensure all HIPAA rules are followed.

Discontinue unassigned seating and locking conference rooms - Inform employees ahead of returning to work that unassigned seating will be discontinued. Consider locking conference rooms or areas where large groups of people might consider gathering. Place signage on areas designated as off limits. Designate or render select fixtures inoperable in common use areas such as restrooms, cafés, or outdoor patios to allow for and encourage social distancing. More information on this topic is included in section 4 below.

Proactive communication - Communicate to employees as to what they can expect to experience on day one of their re-entry experience so they can be prepared, understand, and gain comfort in the actions your company is taking to protect them. This may help reduce their anxiety and that of their loved ones by detailing all the measures your company has taken and will undertake on a go-forward basis, such as cleaning protocols, social distance markings, building occupation limits, entry screening, and package handling.

Consider creating "wellness coordinators" - To assist with reinforcing messaging and mitigation efforts being taken as part of the overall re-entry experience, companies may consider developing a system whereby designated individuals across enterprise HR functions and/or business units serve as wellness coordinators. Similar to having knowledgeable, trained employees serve as emergency/floor wardens to assist in a fire or other building emergency, wellness coordinators who are trained and versed in the company's unique COVID-19 measures and protocols could be a force multiplier for the HR, Facilities and Security departments. These coordinators could serve as knowledgeable ambassador points of contact for the broader employee population - adding clarity to communicated messages or funneling questions and concerns of co-workers to the proper individuals with responsibilities to address an issue. This approach would supplement other avenues such as intranet web portals or microsites for employees to voice concerns or comments. It would also add a human dimension to the communication process. As with any delicate matter involving employee privacy, Corporate Legal would be an important stakeholder to ensure privacy and HIPAA and other privacy laws are followed.

2. Re-entry logistics for employees, vendors, and governance considerations
Make hygiene apparent and accessible and cleaning visible - Ensure hand washing signage reminders are ubiquitous throughout the workplace, not just in restrooms. Hand sanitizer or disinfecting wipes should be readily accessible and re-stocked at all entrances, exits and throughout highly trafficked common areas. Place disinfecting wipes or disinfectant near all commonly used office equipment, e.g., printers and copiers, and other high-touch surface areas. Consider adding periodic checks of these stations to security's patrol duties to avoid employee frustration and reduce risk if they run empty.

Instead of relegating housekeeping staff duties to off hours, make them visible and available throughout the day, especially in the early days of return to business. Frequent cleaning of common areas and high-touch surfaces will help put employees at ease. Employees should see cleaning taking place and smell it in the air. The early days of re-entry will all be about gaining employee confidence and trust for the sanitary nature of their work environment, and these duties will likely fall on the shoulders of lower-paid vendor staff. It is important to pay close attention to cleaning and sanitization practices. Without question, some employees will be looking for gaps and perhaps even taking pictures of practices and areas they are critical of or find concerning.

Vendor controls and oversight - For many companies, on-site vendors are essential partners in allowing a business to carry out its important day-to-day operations. However, a company has little if any control over the outside practices, behaviors, and policies of the vendor staff they use and who enter their workspace. Ahead of re-entry would be a good time to understand and validate what measures, controls, policies, and procedures vendors have for their employees. After all, their presence and behaviors will impact a company's ability to maintain a safe and healthy work environment. Perhaps the Procurement department, which is best positioned to know every vendor contract, could coordinate, and take ownership of this task. In many companies the Facilities and IT functions often have the greatest number of vendors, so that may be another logical place to start.

Strict guidelines may be needed for vendors, especially those with unknown, limited, or questionable benefits or practices to mitigate virus spread. For example, a company can incent its sick employees to stay away from the workplace by offering generous paid sick or quarantine leave or extend work from home abilities. What if a vendor does not extend this or similar benefits to its employees, especially those who live paycheck to paycheck, and they come to your workplace sick for fear of missing out on pay? Every effort should be made to ensure service staff, especially housekeeping, food, and other close-contact service functions, are not spreading virus through their normal duties. This is especially important for the housekeeping staff who are entrusted with vital cleaning and disinfecting duties. The importance that trust has on the employee experience and their perception of a safe/healthy workplace cannot be overstated here. It would be a serious impact to business operations and employee trust if that critical vendor who chose to ignore or not reveal their symptoms came in and infected others in a critical operation, or if a housekeeper responsible to clean and sanitize workspaces was instead contagious and spreading virus, making people sick and causing a workplace shut down.

Housekeeping staff should follow government health officials' guidelines regarding PPE while performing their duties and be instructed on the proper use and disposal of them. Also, they should properly dispose of other potentially contaminated items they use or come across in performance of their duties. Typically, the Facilities department will be responsible for ensuring the work practices of housekeeping staff, but they may not be around to ensure they are always carried out. Consider whether security can add value by serving as a secondary check and balance control measure to ensure that designated areas are cleaned and/or disinfected after hours and housekeeping staff are wearing PPE as appropriate. Security could capture their findings and share them with their Facilities partners to address non-compliance before larger problems emerge. This is a terrific opportunity for Security and Facilities to partner closely and demonstrate teamwork to employees and senior management for the benefit of all.

Consider having conversations with vendors now about whether they have plans to notify your company in a timely manner of any confirmed COVID-19 cases that occur among their staff who access your premises. Would you want to leave it to chance that a contractor who has COVID-19 symptoms and calls in sick to their company will proactively also notify your company? Consider working with your Procurement and/or Legal partners about adding addendums to existing contracts emphasizing new or additional COVID-19 controls and measures that your company deems important and that vendors must follow while on property to avoid virus spread resulting from their behaviors.

Shipping/receiving/packages - While health experts consider the transmission of the COVID-19 virus from package surfaces to be low compared to social contact and droplet spread, the risk still does exist, and measures should be evaluated against the company's risk tolerance. Consider allowing any inbound packages to remain untouched for a period of time until surfaces are considered free of viruses according to published CDC or equivalent health agency guidelines. If parcels are deemed important, adopt disinfecting procedures for parcels in accordance with healthy agency guidelines. Discontinue internal hard copy mail services until the pandemic risk is over. Ensure shipping/receiving and internal mail staff are properly trained and understand established guidelines and restrictions concerning package handling. Post external signage (multi-lingual as appropriate), instructing infrequent delivery personnel of the established measures and controls in place prior to them entering your facility or offloading materials. Greater care and more stringent measures may be appropriate for packages destined for high security and critical areas such as data centers, GSOCs, R&D labs, trading floors, wire transfer rooms and executive offices.

Leverage existing plans, or start plans, to create virtual GSOCs to create flexibility in the event of future outbreaks. If virtual GSOCs do not exist, re-arrange existing workstations to increase social distancing. Some GSOCs are built atop a raised floor which may make rearrangement easier. Split work teams and have them perform at-home self-assessments of symptoms prior to workday shifts to prevent spread and contamination of this critical function. Designate the GSOC and all critical areas frequented by people as regular disinfected areas for housekeeping staff to address. See the SEC's COVID-19 GSOC & General Security Risk Mitigation Checklist.

3. Ways to best leverage security teams and their tools
Most corporate functions are not available or on-site on a 24x7 basis like security. Yet business partners such as HR and Facilities have already been and will continue to be deluged with employee calls concerning questions about COVID-19 plans, policies, controls, and measures. Many expect COVID-19 to be an ongoing crisis/challenge to manage well into the year 2021. Such a long-tailed event will no doubt create fatigue across teams. The more cross-functional support and collaboration there exists amongst business partners, the more enduring and resilient people and teams will be for the marathon journey that lies ahead. Let's look at some ways Security can assist and continue to add value in the long term.

  • Leverage your CCTV system to conduct periodic after-hours spot checks of housekeeping staff to ensure they are employing safe hygiene practices while cleaning the workplace. Alert facilities staff of improper practices before larger problems set in. Some housekeeping firms are small with limited resources and training to manage a crisis of this magnitude and complexity and offer limited supervision of their duties. Security can be an extension of the eyes and ears of a Facilities team.
  • Leverage your CCTV system to monitor if social distancing practices are being maintained in the workplace upon employees' return and future phases of increasing population. If your system has video analytic capabilities determine if it could detect for breaches of pre-set social distance parameters.
  • Proactively have the GSOC team run end-of-day building access reports to inform stakeholders of occupancy rates.
  • Ensure that all access systems and CCTV equipment are working and recording properly as they will be essential contact tracing requests/needs.
  • Consider installing "exit" card access readers to help assist with building occupancy counts at any given time and contact tracing when warranted.
  • Be vigilant in keeping visitor and vendor sign-in and access records up to date and accurate. Records will be essential in flagging individuals who are temporarily not allowed access if they failed temperature/symptom screening and for contact tracing.
  • To the extent possible and balancing the needs of security with safety, consider allowing normally closed, non-critical interior doors to remain open to reduce the number of commonly touched surfaces. Note: It is important to follow local fire code requirements and not to impede the operation of fire door closures. Also, taking normally active card reader-controlled doors offline will limit access history records for potential contact tracing so the risk/benefit decision to leave doors open should be carefully assessed.
  • As appropriate, consider replacing card access door release buttons with hands-free, passive infrared door releases.
  • Depending on your buildings' unique entrance configurations and/or security requirements, consider leaving main entrance doors open and staffed with a security officer during times of increased foot traffic while still having employees use their access cards to create access records for population counts and contact tracing.

Companies that have already experienced confirmed COVID-19 cases in their workplace are reporting that important contact tracing requests from health officials is taking a huge amount of time and taxing their staffs, who are already stretched thin. Depending on your access system's capabilities, consider creating pre-programmed software shortcuts or routines to quickly assist with contact tracing if needed. Also consider ramping up with additional contract staff now - ahead of incidents requiring contact tracing when large numbers of people return to the workplace. If your visitor management system is not up to the task, make note of this and hold onto it for future capital requests. Records of all persons accessing a facility will also prove helpful should health officials need to conduct contact tracing for infected individuals and subsequent communications to building occupants about necessary appropriate actions and measures to be taken.

The risk of malware and computer viruses being introduced into company equipment used while working from home in a less controlled environment may have increased. Consider partnering with your IT department and use access systems to disable badges (i.e., block access) of individuals who need to have critical equipment scanned for virus or malware before it returns to the building and is connected to the network.

4. Staggering the workforce and staging the workplace differently
Just as some employees experienced anxiety returning to work in high-rise buildings or flying on planes following 9/11, some will have anxiety or concerns about returning to a workplace filled with people compared to the controlled environments of their homes for the past six or more weeks. Look at how businesses that are deemed essential, like grocery stores and pharmacies, have evolved their controls to limit virus spread in recent weeks, such as shortening store hours, setting special times for the elderly to shop, limiting the number of people allowed in a store, routine disinfecting and social distancing inside and outside. The workplace may consider employing similar measures that limit spread and make employees feel more at ease. Hands-free access control systems such as facial biometrics have existed for some time, but their throughput limitations or cost were often prohibitive. Eventually, these and other technology solutions that enable touchless controls will become more practical and less expensive. Since perimeter security and access controls are the domain of security departments and often require physical contact, security leaders should be vigilant in researching practical hands-free or soc called "friction-less" solutions suitable for long term use. Now may be an opportunity to try out virtual receptionist and self-serve, voice-enabled kiosk assistance stations.

Consider the following measures that help address and or complement government guidelines for phased re-openings and/or your company's other needs:

  1. Discontinue unassigned seating altogether or at least until pandemic risk is completely over at which time the risk/benefit can be re-evaluated. Consider assigning seats to individuals and allowing for social distance spacing in the work environment with social distance marking prominently displayed in work areas as appropriate. Some of the large commercial real estate service providers already have robust plans and ideas available on the web for companies to consider accommodating social distancing in the workplace
  2. Continuing some measure of work from home strategies to minimize building occupancy and keep more vulnerable staff away from the workplace will ease pressure on any symptom screening checkpoints and other building services needed to keep the environment and occupants healthy.
  3. Apply signage markings on floors in lobbies, common areas and other typical gathering areas to designate 6 ft. social distancing.
  4. Create social distance markers around workstations as friendly reminders in co-worker interactions.
  5. Stagger work hours to limit office population and ease traffic at entry symptom screening stations.
  6. Section/designate parts of the building as no-work/off limit areas to serve as relocation spaces for areas that get closed down temporarily if/when confirmed cases occur. Disable access control readers to these and other temporarily restricted areas.
  7. Modify contractor card access privileges for times of day or days of week to limit them from showing up off schedule or wandering in temporarily off limit areas.
  8. Divide critical functions into 2-3 components, allowing only one to work on any given day/shift to ensure "people continuity" if one becomes infected.
  9. Consider limiting elevator occupancy or restricting their use to only mobility restricted employees. Explore the feasibility of upgrading elevators to touchless controls.
  10. Consider making long corridors one-way to allow for social distancing.
  11. Consider individualized take-out meals from favorite restaurants to build staff morale, reduce cafeteria populations and help small businesses.

It's important to ensure frontline supervisory staff and all full-time and contracted service support staff such as Security, Facilities, etc. are well informed of any changes ahead of re-entry so they can properly support, communicate, and help employees comply.

Leased space - If you occupy leased space as a tenant you may have no control over the cleaning or hygiene practices in place for common areas such as lobbies, building reception, stairwells, and elevators. Also, a tenant may have little if any control over the quality of work, cleaning supplies used, or procedures employed by the housekeeping staff for your immediate office environment. Given these limitations while still being responsible for the safety and health of your employees in the workplace you might ask yourself the following:

  • Are landlords and their housekeeping staff following CDC or other equivalent gov't health official's workplace disinfecting guidelines? The CDC recommended guidelines can be found at this link: Cleaning and Disinfection for Community Facilities
  • The Buildings Owners Management Association (BOMA), a property management oriented professional industry association has many informative on-line resources and best practices that a company may leverage, especially one that doesn't have its own professional Facilities department.
  • Are they using EPA-approved products that are effective to eradicate the virus and safe for employees?
  • Is the landlord or their vendors conducting symptom checks of their cleaning and support staff before entering the building or tenant space to perform their duties?
  • Are landlord vendors encouraging staff to self-quarantine with paid sick leave or other benefits if one is sick or symptomatic, so they don't spread virus to your offices or common areas?
  • How confident are you that Illiterate and poorly trained housekeeping staff understand and properly carry out their duties to your expectations?
  • How are all the above issues playing out in international leased spaces of less developed countries, where local government guidelines are non-existent or lax compared to those in developed countries? What about countries with a high level of corruption?
  • How can you be assured they are not cutting corners with products and procedures to save money?

Now is the time to review your lease agreements and enter into proactive conversations with your landlord to understand and request specific measures when it comes to routine office cleaning and disinfecting work areas, both as a matter of routine and after it is known that someone was symptomatic and/or confirmed for having the COVID-19 virus. If you are not an anchor tenant, determine where your company stands on the prioritization scale for requesting disinfecting of workspaces in a time of need or high demand. Inquire if the landlord has a practice to notify all tenants if they are made aware of confirmed COVID-19 cases among tenants, vendors, or their own staff. It is better to know what is in place or lacking before the rumor mill gets started or you are caught off guard by employee questions on the topic.

5. Post-business-resumption risks and preventive measures
Business travel - Once business re-opening phases commence, companies will have a need to resume business travel to check on suppliers, service clients, and generate new business. With reduced commercial routes, fewer direct flights, continued interest in social distancing, and a desire to avoid airport congestion, private aviation may become more popular among travelers for critical business needs. A company may consider which roles are travel critical, such as sales, business development, manufacturing, and executives and inquire if they plan to use commercial or private aviation. If private or charter aviation is used more frequently, the security department should look into whether their current automated travel tracker systems do or do not track employees on such flights.

Regardless of whether travel is undertaken on commercial or private aircraft, it will be important to remain current and vigilant on continued travel bans, restrictions, and changes. Once travel restrictions are eased or lifted, a company should closely monitor the appropriate government travel advisories, WHO and CDC guidelines, and third-party global risk providers as health officials caution against the emergence of a second pandemic wave and/or virus "hotspots" which could catch business travelers off guard if not kept properly informed. Particular caution should be placed on allowing travel to developing countries that reported few initial outbreaks of the virus, since some countries may have adopted internal policies to not test for the virus or have insufficient tools and protocols for tracking virus spread.

Prior to resuming business travel, a security leader and their business stakeholders should agree upon what factors could be used to determine when a destination is appropriate for business travel. A fully thought out and agreed upon set of controls and strategies should be devised, and a pre-trip safety briefing given to every traveler. Contingency and travel emergency plans should be revised and refreshed accordingly. The important difference with plans now versus pre-COVID-19 is that the security, safety and health infrastructure across countries may have changed, in some cases dramatically. Security leaders will need to ensure their travel security teams or services remain current with all the changes that a business traveler may encounter. For example:

  • What changes can a traveler expect upon airport arrival/departures?
  • Have existing travel visas been cancelled due to COVID -19 controls thereby requiring new ones?
  • Will there be a requirement to download tracking apps on smart phones?
  • Are mandated quarantines upon arrival still in place? If travelers become symptomatic while away and forced to self-quarantine in a foreign location, are they properly equipped, prepared, and briefed with the best access to healthcare information and hospitals?
  • Is the healthcare system or previously recommended hospitals at their destination stressed and short of supplies to the point they can't provide adequate care if needed?
  • Have ground transportation logistics and rules changed for taxis, ride share services or public transit? Should use of public transit be prohibited for business travel for a period of time?
  • What changes can travelers expect at hotels?
  • When and if effective, medically approved COVID-19 antibody tests are available, should a company consider only allowing business travelers who have been tested to travel to riskier locations? What employment concerns enter into that discussion?
  • Should all business travel be voluntary or require secondary levels of approval?
  • If hot spots emerge and flights are cancelled with short notice, stranding travelers, how is the company prepared to manage such occurrences?
  • Should a company consider requiring versus suggesting certain actions by business travelers, such as:
    1. Enrollment in the U.S. Department of State's Smart Traveler Enrollment Program.
    2. Updating or validating emergency contact information prior to travel.
    3. Reporting of personal travel to known international or U.S. "hot spots" before being approved for business travel.

Being a prepared traveler will be more important than ever. Security travel teams should equip business travelers with the most current information prior to and during their trip. It may also be beneficial to debrief early travelers upon their return from a trip to learn from their experience and identify tips and information that may not have been included in government or third-party global risk briefings. Debriefing travelers early on will also demonstrate a sense of care for the employee and perhaps yield useful information for future travelers to a region.

Maintain a contagious illness working group - After the current wave of the pandemic has passed, a company may want to keep a small team of internal stakeholders (e.g., Security, Safety, HR, Facilities, Legal and Corporate Communications) in an ‘on-call' status to manage virus issues, incidents and concerns that emerge or are raised by employees. While I was with my previous employer, we had contagious illness working group made up of HR, Security, Real Estate, Business Continuity, and Legal in place for over 18 years. Working dozens of small and larger-scale contagious illness incidents over such a long period developed muscle memory and a disciplined approach of trust, expediency, and professionalism when handling a variety of cases. When the COVID-19 crisis passes, maintaining a contagious illness team at the ready will help prepare a company for any future incidents, small or large.

Leverage employees' experience and suggestions - Consider keeping employees up to date with a company's efforts to manage COVID-19 until a vaccine and/or therapeutics are widely available. Also call on employees to share their inputs, suggestions, and concerns for ways they need to stay informed and engaged to help boost productivity and morale. The priorities of this crisis remain health and safety followed by business resumption, with the latter intrinsically dependent on the former. Employees are at the center of both priorities, and it is their experiences, real and perceived, that will help a company keep people healthy and return to business operations as efficiently as possible. A company's internal crisis team will benefit greatly by keeping the pulse of the employee experience throughout the coming months. This pulse will inform the crisis teams on what measures are working, which require modification, and where new ones are needed to navigate what will be a bumpy journey forward. Leveraging employees also emphasizes the importance the corporation places on those centerpiece focal points of trust, transparency, health and wellbeing of employees.

Prepare After-Action Reviews (AAR) - Because of the length of this crisis, smart companies will perform AARs at certain points throughout it and when it is finally over. Performing AARs on a recurring basis will help capture important details while memories are fresh. Aside from answering the usual "what worked and what didn't" questions, security teams may want to also consider the following:

  • What resources, equipment, protocols and strategic external business partners and experts, were needed, and at what different stages during the crisis?
  • How can these things be leveraged differently for potential future waves of COVID-19 or entirely different contagious illness events - small or large?
  • What new technology should security be aggressively advocating for to reduce cost and to provide better control and management of a similar crisis? Are hands-free access controls, robots, integrated visitor management systems, smartphone apps, voice-enabled kiosks, others practical and cost effective? Security should be prepared with a "shovel ready" list of those capital and operational expenses, complete with ROI calculations for each.
  • Were critical security vendors able to perform satisfactorily and support all your needs at the outset of the crisis? If not, were they able to adapt quickly?
  • Some companies may be also be evaluating their organizational structures to assess how well they responded and managed this crisis, especially business continuity and resilience. Security should be poised and ready to accept any new responsibilities that they could assume which play to their core strengths, talents and experience managing crisis events.

It may also be beneficial as part of an AAR for a company to look back at what actions, controls, and measures Countries and individual U.S. states adopted as they passed through the apex of their pandemic curves. Creating a timeline of the macro issues of what happened externally and internal to a company with the benefit of hindsight may provide helpful markers to consider for the future.

Until we know what re-opening will look like for business, industry, or even society, it will be difficult to fully plan for longer-term strategies to mitigate and battle deadly future contagious illnesses. There is much talk amongst health experts, governments, and business leaders that we will not return to business as we knew it for quite some time. We may come to realize that avoiding future work stoppages from health crises - not only future pandemics, but perhaps even seasonal flus that pose a higher risk to vulnerable groups and for which there is no effective vaccine - will require us to employ many of the tactics we are using now to combat COVID-19. For example:

  1. Not shaking hands
  2. Increased work from home for high risk individuals
  3. Increased workplace sanitization routines
  4. Wearing masks
  5. Social distancing
  6. Splitting work functions
  7. Restricting travel to/from locations that experience large outbreaks

Pro-active campaigns for vaccines and proof of immunization for critical roles - Consider socializing the idea amongst internal stakeholders to push for more education and awareness and to consider making vaccines available to employees. Vaccines have been an increasingly polarizing topic amongst many groups, so this is not one to be taken lightly or without healthy debate amongst stakeholders to fully consider the laws, health considerations, individual beliefs and business needs. Consider the pros, cons, legal and other challenges of having critical function staff maintain immunization records and/or blood titers during outbreaks of contagious illnesses (e.g., coronavirus, MMR, and chicken pox) that could prompt closure or quarantine by health officials. Work with HR and Legal to ensure HIPAA, religious sensitivities, and other laws are respected. HR and Legal would also be knowledgeable of whether immunization records for critical functions constitute a bona fide occupational qualification for certain critical roles or circumstances.

Communications and on-going contagious illness awareness - Consider keeping active campaigns, awareness, and messaging in multi-media and multi-lingual formats as we move through COVID-19 phases and safe hygiene messaging into the future. Employees will have a strong interest in company actions pertaining to COVID-19-related workplace actions and will likely have a heightened concern and interest in all future contagious illness outbreaks impacting the workplace. Just as we prepare for seasonal natural disasters such as tornados, hurricanes and wild fires having a site with links such as helpful FAQs, travel advisories, internal policies, and hand hygiene will help keep people informed, vigilant, safe, and better prepared for endemic, epidemic and pandemic health issues.

Increased workplace and domestic violence spillover - According to the International Association of Chiefs of Police, many law enforcement agencies are reporting increased domestic violence since stay-at-home orders were issued. Will more domestic violence spill over into the workplace when stay-at-home orders are lifted? Will the increase in job losses, financial stress, mental disorders, post-traumatic stress disorder, and grief increase the potential for more of the following in the workplace?

  1. Hostile behavior
  2. Threats
  3. Violence
  4. Substance abuse
  5. Threats to self-harm or suicide
  6. Erratic behavior/inappropriate conduct
  7. Theft

If you do not have a documented workplace violence plan or existing program, now would be a good time to prepare one. If you have one, now is the time to refresh it. Security should remain informed of all trends brought about by this crisis with the potential to impact the workplace and should make stakeholders aware of them.

Potential for civil unrest - Globally and within the U.S., drivers for civil unrest can arguably fall into the categories of political, economic, and social. Though not currently a problem, essential supply chain (e.g., food and medicine) or utility disruptions could result from COVID-19 repercussions. Security teams would be well served to remain vigilant, looking for signals of potential unrest across regions globally and in the U.S. where they have operations. In the U.S. for example, federal stimulus money is not going to certain groups like the homeless. Would U.S. cities with large homeless populations and known active civil rights supporters be at a higher risk for protests and/or unrest? Could the cities that had high numbers of Occupy Wall Street protests back in 2011 be the likely locations for potential COVID-19-related unrest to occur? What about in countries with a history of civil unrest, large populations with fragile infrastructures or political institutions, or where U.S. multi-national corporations have significant operations?

Increased fraud, insider risk, product diversion, counterfeiting - Recently, U.S. Federal Agencies announced enhanced enforcement efforts to combat potential increases in transnational crime, drug and terrorist activities as criminal and terror groups look to exploit the COVID-19 pandemic for their benefit. Companies may want to increase their vigilance in monitoring known hot spots of past crime (traditional and cyber) for upward trends of fraud, counterfeit, and theft of their products and intellectual property. Combatting these challenges and efforts to protect a company's brand, customers and bottom line have become more difficult with COVID-19, especially as law enforcement agencies are stretched thin and forced to focus on higher priority issues.

In Conclusion
This is understandably a great deal of information to digest and by no means should be considered an exhaustive list of security, safety, and other business functions' items to consider when looking to construct tactical and strategic plans to manage the ongoing COVID-19 pandemic. Also, as was mentioned at the outset, every company's culture, business operations, and risk tolerances are different. Moreover, the laws, regulations and guidance coming from local, state, and federal governments are different and quickly evolving as everyone comes to grips with this novel virus. Assembling the proper stakeholder functions within a company, assisted with the right health and subject matter experts to formulate realistic and actionable plans that meet a company's needs and comply with applicable rules, regulations and guidelines, will best position them to be resilient and successful.

For more resources see SEC's COVID-19 Security Related Resources

Contact us if you need assistance in COVID-19 strategic planning, response or recovery at

You can download a PDF of this page below:
Return to Program Best Practices