Coronavirus: Preparing your council for the crisis

Central government is implementing measures to confront the coronavirus outbreak. David Hill works through the questions local authorities will need to address as the virus spreads.

The coronavirus is dominating news reports. The virus has established itself as a major health risk on a global stage with countries taking a range of different measures to control the movement of citizens in order to control its spread and mitigate risks.

And though the reports make for grim reading, local authorities can take action too. Indeed, councils should be taking steps to quantify the potential impact of the virus and its associated illness on their ability to deliver services.

Keep in touch – register for Room151 treasury and finance meetings ONLINE

Local authorities must be transparent and take a lead in being open with their key stakeholders (partners, suppliers, customers and citizens) on what risks they face, particularly in the areas of staffing shortages that could have an impact on service delivery. 

Councils as well as the businesses they have in their areas (especially those councils that are more active in the commercial income generating sector), could also be impacted by the situation and they should be actively engaging with key stakeholders, including business resiliency partners, to ensure that plans are in place. This includes considering how the outbreak might affect supply chains, cash flow management (especially key suppliers) and service provision.

Management teams (and the Board) need to identify and understand the sources of disruption and the potential impacts. Leaders need to establish key indicators that provide continuous assurance about operational impacts and the effectiveness of mitigation plans.

Continuity

Many councils who are in the process of, or who have already implemented digital transformation programmes, now need to review how they can continue to deliver certain automated business-critical activities that utilise the internet or mobile technologies as part of the delivery mechanism.

It is time to ask yourselves: When was the last time you reviewed the criticality of various business processes to make sure the order of recovery is appropriate?

So, time to ensure those business continuity plans are in place and updated, staff across your organisation trained and made aware that each one of them has a role to play in service delivery.

It goes without saying, as part of your preparations don’t forget your internal audit team are there to assist, provide an independent and objective view, and provide assurance. The current coronavirus is one such area where they can assist.  

Checklists

Key disaster preparedness questions:

• When was the last time your organisation’s resiliency plans were reviewed by key stakeholders? When was the last time your organisation’s plans were tested and by whom?
• How do your current plans address natural disasters, pandemics, or other potential disruptors that could impact your facility? Your employees? Your cloud providers? Your suppliers? Your customers?
• When was the last time your organisation reviewed its contracts with business resiliency partners?
• How are vendors, emergency responders, regulators, insurance agencies, and other critical stakeholders notified of point of contact changes?
• How capable is your organisation to perform manual versions of business-critical automated activities? Are the needed forms and procedure manuals available? Are you appropriately staffed to do so?
• How often does your organisation verify the criticality of various business processes to make sure the order of recovery is appropriate? How does IT ensure the critical infrastructure components are enabled to allow for the business recovery requirements?
• What business objectives would be hindered or restricted if there was limited or no internet or cellular access?
• What training have your employees and business associates received on what to do in the event of a natural disaster or a pandemic?
• Is your data centre and/or your cloud provider capable of running “lights out,” meaning no workers present for an extended period?
• What business-critical processes or activities would not be transferrable to an alternate location? Which have regulatory implications based on timing or duration of event?

Social engineering

Key social engineering questions:

• What are your organisation’s practices, policies, and training involving the threat of social engineering? How are these communicated to employees and enforced?
• Is the threat of social engineering completely understood and communicated to all levels of employees at your organisation? Which systems and processes are particularly vulnerable to social engineering? Which key business processes have potential to be affected?
• What testing does your IT department do relating to areas of specific vulnerability to social engineering?
• Do you have plans to audit your organisation’s areas of specific vulnerability to social engineering?

David Hill is chief executive of SWAP Internal Audit Services.