Continuity Planning in the COVID-19 Era
The COVID-19 pandemic has presented myriad practical and legal challenges to business and the directors who oversee them. As companies continue to adjust to the realities of working from home and remotely connecting with their employees, customers, and management, the once-theoretical consideration of business continuity planning became a reality that had to be addressed immediately. Failure to adequately plan, and to sufficiently monitor those initial plans, can subject directors to potential liability for breaching their fiduciary duties. Below, we discuss how businesses can mitigate these risks in the COVID-19 era.
Legal Obligations for Continuity Planning
It is axiomatic that directors discharging their fiduciary duties of care and loyalty must act in good faith to ensure they are informed about the business and its operations. Absent these efforts, directors cannot successfully discharge their duty of oversight, as established by Caremark and its progeny (see previous client alert, here). A business disruption—including the COVID-19 pandemic and its fallout—does not relieve directors of compliance with their duties. Rather, it heightens the need for directors to stay informed and knowledgeable, so that they can act in good faith for the best interests of the corporation, regardless of the circumstances.
The requirement of continuity planning is not simply limited to fiduciary obligations. For example, the Securities & Exchange Commission (SEC) has proposed rules (the Rule) for registered investment advisers (RIAs) that require the implementation of written continuity plans. As the SEC noted, its staff had “observed advisers with less robust planning, causing them to experience interruptions in their key business operations and inconsistently maintain communications with clients and employees during periods of stress.” (p. 8-9.) Though not yet adopted, the Rule proceeded from the view that, to effectively mitigate such risks, entities must adopt “plans that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.”
Once those plans are implemented, particularly during exigent times such as the beginning of the COVID-19 pandemic, directors should routinely revisit and monitor the adequacy of the plans in continued fulfillment of their oversight duties under Caremark.
Practical Steps for Business Continuity Planning and Monitoring
There is no one-size-fits-all approach to business continuity planning, but key considerations that should be addressed in a business continuity plan include:
- Putting steps in place to ensure the maintenance of key data and systems to allow for the continued operation of the business in the event of a large-scale interruption, such as a pandemic or natural disaster.
- Companies face greater risk to data and systems continuity when employees access company networks remotely, including risks of cyber threats. The board should consult with IT professionals to implement, monitor, and update plans to address vulnerabilities caused by employees’ improperly secured home networks and routers; a system for successfully distributing patches and software updates to users; protecting against phishing schemes (including phone calls from bad actors pretending to be company IT professionals), which often become more prevalent during times of crisis; and the increased likelihood that shared computers may be used to access sensitive information, among other threats.
- Companies face greater risk to data and systems continuity when employees access company networks remotely, including risks of cyber threats. The board should consult with IT professionals to implement, monitor, and update plans to address vulnerabilities caused by employees’ improperly secured home networks and routers; a system for successfully distributing patches and software updates to users; protecting against phishing schemes (including phone calls from bad actors pretending to be company IT professionals), which often become more prevalent during times of crisis; and the increased likelihood that shared computers may be used to access sensitive information, among other threats.
- Robust backup and restoration capability for those systems, including alternative locations allowing for the operation of key systems and data during a business interruption, and a plan for remotely continuing business operations for extended periods of time.
- A program for testing and verifying the efficacy of the planned systems.
- Transition planning that allows for the assumption of key duties by other members of the company’s staff, and which provides for the necessary communication between employees, management, and key third-parties.
When companies create and implement business continuity plans, boards should actively ensure that the planning meets the needs and addresses the risks of the business in fulfillment of their fiduciary duties of care, loyalty, and oversight. As such, boards should consider the following steps at a minimum:
- Review and evaluate any existing business continuity plans and their effectiveness in the COVID-19 pandemic and, if such plans are not in place, the formation of a subcommittee (or use of an existing board committee) to spearhead the establishment and monitoring of such a plan;
- Consult with executive management and outside advisors (including technical and legal) to evaluate the effects of the COVID-19 pandemic on the business’s operations and resilience, and potential changes reflecting that evaluation; and
- Establish a secure repository of key documents and reporting data accessible to board members during a business interruption, along with a secure means of communication among board members, to provide the necessary information and access to fulfill their oversight responsibilities.
Once implemented, boards should regularly monitor the performance and continued appropriateness of the plans during the period of crisis. As the end of most public companies’ financial quarters is approaching, now is the time for boards and committees to seek updates from management and outside advisors on the success of their companies’ plans and address any issues that have occurred or changes that have been identified after implementation.
Finally, any continuity plan must account for the well-being of the company’s employees. Working to protect their health during a business interruption (such as the COVID-19 pandemic) is critical to the ongoing effective operations of any business. Planning for employees should include:
- Ensuring proper health resources, both mental and physical, are in place and made available to employees.
- Compliance with applicable federal and state guidelines to protect the health of returning employees, including those promulgated by OSHA, the CDC, and state boards of health.
Taking these steps will help mitigate risks during times of crisis, including during the COVID-19 era.
--
VORYS COVID-19 TASK FORCE
Vorys attorneys and professionals are counseling our clients in the myriad issues related to the coronavirus (COVID-19) outbreak. We have also established a comprehensive Coronavirus Task Force, which includes attorneys with deep experience in the niche disciplines that we have been and expect to continue receiving questions regarding coronavirus. Learn more and see the latest updates from the task force at vorys.com/coronavirus.