Skip to main content

Lessons Learned for Supply Chain Pandemic Planning Part 1: Governance and Risk Assessment

Oddly enough, the lessons learned from the Covid crisis are very similar to the lessons learned from the LAST major epidemic that hit the world, the H1N1 crisis.  At that time, I wrote a study for the IBM Business of Government, titled “Planning for the Inevitable:  The Role of the Federal Supply Chain in in Preparing for National Emergencies” that laid out important trends that were apparent as a result of the avian and H1N1 flu viruses that occurred in the global economy.  This report established number of lessons learned need to be considered and implemented into the fabric of federal, state, and local governments.   As part of this report, I also developed a maturity model that identified different stages of preparedness planning needed prior to a pandemic.

Here we cover the first two categories:  Governance and Risk Planning.

Supply Chain Pandemic Governance

One of the most important elements in creating a pandemic plan is the level of organizational governance and team planning activities dedicated to the issue.  During the avian flu and other recent incidents, there appeared to be varying levels of organizational response to the issue, ranging from ad hoc committees which monitored industry trends, periodic conference discussions, open forums for discussion, and other forms of ad hoc activities.  In more recent years, particularly in 2008-2009, organizations have put together cross-functional teams to view the issue.  As many organizations also created business continuity planning councils with representatives from multiple functions gathering to measure and assess enterprise risk issues, sub-committees have often been formed to specifically identify risks associated with a pandemic event.  At the most mature levels, organizations have established dedicated teams of supply chain professionals who team with key operational and security officers to established documented plans and pilot tests associated with pandemic plans, with formal executive reviews and business case development around potential risks of a pandemic event.  These types of activities represent a serious dedication of resources to pandemic planning, and often involve significant studies and simulation analyses to establish “what-if?” scenario planning and contingency plans, leading to specific recommendations on stockpiling, training, supply risk management, and other components of our maturity assessment.  In many cases, these teams have the authority to establish specific policies and strategic planning coordination with executive functions to enable the right level of preparedness.


Supply chain risk planning is the first critical activity that the newly formed pandemic threat team must carry out.  The process of developing a risk plan involves several steps that can be followed.  These include the following

  1.  Identify all employees and suppliers that are potentially impacted by a pandemic.

This activity involves conducting a series of “what-if” exercises, involving creation of high level value stream maps that define which employees or suppliers are involved in critical processes.  For example, processing a stock trade involves communication between a trader and a customer, which can largely take place through electronic and telephonic communication.  However, delivery of coal to an energy generation plant requires a physical presence of the coal supplier, the transporter, the railway, the bulldozer operator, and the generation plant personnel.  While these scenarios may seen simplistic, it is important for the team to take a structured approach to value stream mapping and consider all impacted individuals who might not come to work given a pandemic scenario.  These employees/suppliers should be classified into whether or not their physical presence or geographic proximity to other potentially infected individuals is required or not

2.  Establish criticality of associates and suppliers

Next, the team needs to classifications of associates and suppliers who are impacted, and then classify them as to whether they must work on site or not.  In general, three categories will follow:

  1. Individuals who are critical and must work on-site. Training and precautionary protection should focus on these individuals, and they may be targeted for a first round of anti-virals and protective measures.
  2. Workers who are critical to the business, but can work from home. Establishing work-at-home policies can be extensive, and may include specific portal development, laptop distributions, specialize internet access backbones, and other technological elements.  Workers must be able to access their office documents and files online, and this may require additional effort.  More mature organizations have not only established work-at-home policies, but have validated and tested them by having these workers actually work from home at least once a month to determine shortfalls and gaps in coverage.  A pilot assessment should indicate that every employee must show that they can be productive working at home.
  3. Workers who are not critical, and can be postponed.
  4. Workers who are absolutely postponeable. Executives need to consider whether these individuals will remain on the payroll with benefits.  They may be needed in a start-up mode.

Training is especially critical for employees who fall into categories 1 and 2, and specific programs should be directed for intensive training and education to this populace in the first wave.

3.  Establish an Enterprise Function Risk matrix highlighting business critical functions probability of infection.  This matrix can be created based on subjective factors, but should reflect the relative impact on the business, and likelihood of exposure.   An example risk impact matrix is shown below.  Even a subjective set of assessments will provide an initial glimpse into the key associate groups that are considered critical to business continuity and the likelihood that they will be infected due to physical exposure.  Examples of functions that are most likely to impact the business, and are likely to be exposed, include any individuals associated with operations, sales support, direct materials, customer service, logistics, or field service.  Identifying the number of these individuals is an important step, as roles may have changed in the past six months, and specific individuals and suppliers need to be identified and contacted.  The results of this analysis may often provide surprising results to the team.  For example, individuals who HAVE to be on-site for a facility to operate often include security guards, HVAC, facilities engineers and workers, and janitorial/waste management.  These individuals are often considered low-wage, and may have a minimal amount of training, yet are considered critical to the operation.

Likewise, a supply chain risk assessment may identify critical categories of supply that can potentially disrupt operations.  For example, coal is considered a critical category that can impact energy generation supply.  Likewise, rail transportation that delivers the coal is also considered a critical element.  Chlorine for water plans is important, as many water processing facilities only have 3 days of chlorine for water, and must keep higher numbers of tanker cars to ensure water continues to be operating.  In hospital operations, one area that is considered important is IV tubes for ventilators.  Most of the ventilator tubing is not produced in the US, and although there is some inventory of tubing in the US, this supply would not be enough to support a full-blown pandemic.  If borders are shut down, this could become a highly critical situation.  Other on-site services such as facilities, janitorial, distribution, customer field support, and other areas are considered critical supply areas that may not have been viewed as critical in the past from a supply management perspective.  Under the rubric of pandemic risk planning, however, these may now become essential suppliers that must be included in a formal pandemic planning risk exercise.

4.   Establish Potential Action Plans

Once key nodes in the supply chain and enterprise delivery model are understood, preliminary plans need to be identified to establish business continuity actions in the event of a pandemic event.  Several potential options exist here.  The most basic of these measures is the importance of individual responsibility to wash hands and use disinfectant products on the hands when using restrooms and prior to meals.  The primary method of transmission occurs through hand contact with a virus that is subsequently passed to an individual through actions as simple as scratching an eyelid, lips, or nose.  Training and education on personal sanitary precautions in the work environment during the early phases of a pandemic can have a major impact on the rate of transmission.

Another set of activities involves closing non-critical facilities during a pandemic, and encouraging employees to work from home (also known as “social distancing” or “teleworking”).  Social distancing reduces the frequency, proximity, and duration of contact between people which reduces the chances of spreading pandemic influenza virus from person-to-person.    This is clearly not always an option, as there are often activities that require the physical presence of an individual to complete the necessary work activity.

Another set of measures involves creating stockpiles of critical materials for critical employees, that can provide a stopgap measure to ensure that workers continue to work during the event.  This is covered in more detail in the next section.

One important feature of organizations which have well-established, mature risk planning functions is that they not only create a risk matrix, but they also “stress-test” this matrix through scenario simulations to create a pandemic environment.  For example, several of the firms in the financial and energy sector have had “trial runs” where a given percentage of workers stayed and worked from home, to determine the net impact on operational disruptions.  These types of simulated activities create important lessons learned after a thorough post-mortem takes place, and provides a higher level of resiliency and confidence in risk plans.