Gert Cruywagen, COO: Risk and Insurance of Gripp Advisory and a Member of the King Committee on Corporate Governance
Protean does a lot of work assisting clients to prepare for effective response to crisis and disruption through the development of Crisis Management and Business Continuity Programmes. We therefore understand the importance of effective Business Continuity programmes. We engaged with Gert Cruywagen, COO: Risk and Insurance of Gripp Advisory and a Member of the King Committee on Corporate Governance, to get an expert view on Governance and Business Continuity during the time of Covid-19. This is what he had to say:
There is a debate in certain circles about whether a new set of Business Continuity Plans (BCPs) is required to deal with the COVID-19 pandemic and its effects and consequences, as well as the role of the governing body in this process. The debate also centres on the question of whether the current Governance Principles in King IV are sufficient to deal with events like the current pandemic.
In debating this matter, the question is always what one reviews and debates first – Business Continuity or governance? Here, Business Continuity is addressed first and foremost.
King IV Principle 4.1 Practice 5 states: “The governing body should delegate to management the responsibility for risk management which includes assessment, design and implementation of responses, continual monitoring and reporting thereon.” Business Continuity Management (BCM) is one of the responses that management will design and implement following the risk assessment process as described above.
One misconception that should be dispelled at the outset is that organisations need a new set of Business Continuity Plans to specifically address COVID-19. This is simply not true. If BCPs have been well designed, they should be able to address any eventuality forcing organisations to cease their normal activities for an extended period. There is no need to change everything simply because of COVID-19. BCM focuses on ‘business enablers’ and not on scenarios or individual events (Murphy’s Law will ensure that the one scenario you did not plan for is the one that unfolds).
Broadly speaking, Business Continuity Plans consist of sub-sets of plans, namely:
- Emergency Response Plans
This is the immediate response to an incident, where actions need to be taken swiftly in order to safeguard life, limit injuries, and prevent escalation of physical damage. This phase includes, but is not limited to, building evacuation procedures (i.e. fire marshals, First Aiders and assembly points). This addresses the need to immediately respond to unforeseen events, whether these events are fires, floods, earthquakes, cyclones, hail, as well as infectious and contagious diseases like Ebola, SARS and now COVID-19.
- Crisis Management
This is a senior management function aimed at strategic decision-making and the provision of leadership/direction for incident/disaster management. This phase also focuses on ensuring effective internal and external communication during and after the incident/disaster. The Crisis Management Plan outlines how an organisation would deal with issues relating to reputation, brand/image, stakeholder confidence and the media. It normally calls for a Crisis Committee, consisting of key staff members with the requisite skills and experience (and specific BCP training), to be convened.
- Salvage or Clean-Up Plans
These plans deal with the immediate aftermath of the event, irrespective of its nature, and they detail the steps required to get the organisation back to normality.
- Business Continuity Plans
This is the process of recovering/continuing urgent and critical business processes/ functions, in a predetermined time after an incident, in order to minimise the impact on the organisation.
It should be clear from the above that well-written BCPs can be used for any unforeseen event, and specifically COVID-19, without the need for major rewrites or revision.
The formal application required in King IV states:
- The governing body should delegate to management the responsibility for risk management (King IV Principle 4.1 Practice 5)
- The governing body should exercise
ongoing oversight of risk management, including that it provides for the
- establishment and implementation of business continuity arrangements that allow for the organisation to operate under conditions of volatility and to withstand and recover from acute shocks (King IV Principle 4.1 Practice 6d)
The requirements are absolutely clear and reinforce the point that nothing new or specific is required to deal with COVID-19, provided the abovementioned Principle 4.1 is applied.
The following King IV Principles, as well as detail points, are therefore applicable around the governance of Business Continuity:
- The organisation should have the correct governance framework in place, detailing the role of the Governing Body, even during a crisis.
- The Governing Body should remain non-executive and independent and resist the temptation to get involved in executive functions.
- The Governing Body should leave the day-to-day activities in dealing with the unforeseen event to the Crisis Committee.
- The Governing Body should continue to play its oversight role.
- The responsibility of the Governing Body is to ask the correct questions, and to ensure it gets the correct answers.
- The answers to the questions should enable the Governing Body to understand the various impacts of the unforeseen event on the organisation.
- The Governing Body should ensure that
its sub-committees assist in asking the correct questions and get the correct
- Audit Committee: should get answers on income and expenditure, cashflow and going concern, funding, debt, covenants, cost control, onerous contracts, insurance and other relevant matters. The Audit Committee should receive assurance on the continued adherence to financial controls including delegation of authority, separation of duties, and the like.
- Social and Ethics Committee: should get answers on personnel matters, including continuity, pay and benefits, staff wellness, transport, personal protective equipment (where applicable), additional training, and the like. It should also get answers on community impacts, CSI project sustainability, environmental impacts, etc.
- Risk Committee: should get answers on security, fire protection, reduction of combustibles and flammables, shutdown of hazardous processes, waste disposal, isolation of gas, electricity and water supplies, as well as assurance on regular inspections.
- Delegation to a committee or a governing body member will not by or of itself constitute a discharge of the governing body’s accountability. The governing body needs to apply its collective mind and constructively challenge the recommendations and decisions by the committee. (King IV Principle 3.3 Practice 48)
It is clear from the aforementioned that there is no need for a special set of governance requirements to deal with Covid-19, as existing governance principles are sufficient. The King Code on Corporate Governance (King IV) provides for an ‘outcomes-based approach’ without going into specifics for each eventuality that any organisation may face during its lifetime. Governing Bodies should simply apply the existing principles of both governance and risk.