Well, here’s a stroke of luck: a compliance officer I know in the tech sector happened to begin a project at the start of this year — developing an infectious disease response program for his firm. Maybe this CCO had a premonition of the future; maybe he had an inkling that Covid-19 would become a global menace.
Either way, this CCO shared some of his thoughts and program principles with me earlier this week, so let’s take a look.
First, our fellow CCO went looking for guidance, templates, and sample programs online. He recommended the Center for Disease Control’s Guidance for Business, as well as San Francisco’s Infectious Disease Emergency Response Plan.
Both sites offer voluminous material, and then point to yet more material available from other regulators and public health institutions. So as obscure as pandemics might have been — seriously, who expected six months ago that this would be our most pressing risk issue today? — you can find tremendously helpful guidance out there.
Second, my CCO friend was deliberate in what he called his plan: “Infectious Disease Outbreak Response Plan.” And because we can never have too many terms of art in corporate compliance, that plan is formally known as the IDORP.
That word choice is more important than it seems, because it helps executives focus on what the company really needs to do: control the outbreak of disease among your workforce.
That’s not the same as a pandemic response plan. Pandemics are larger than any one company or country, and they raise issues of supply chain stability, international travel, tele-commuting resources, and so forth. That is, pandemic response plans address huge, disruptive forces.
IDORPs focus on your company’s response to illness. They force you to develop specific policies about absenteeism, paid sick leave, physical access to buildings, payroll, cleanliness of company property, and so forth.
This is important because regardless of when Covid-19’s preliminary surge ends and governments start easing lockdown restrictions — the virus will continue to haunt us for many months, if not years. Cases will linger in one region or another. New outbreaks will happen again.
Businesses will need a way to navigate those better, but still dangerous, times. Several weeks ago I called these issues the down-slope risks of Covid-19, where we’ll need to integrate disease management protocols into ongoing business operations. That’s what IDORPs try to do. Every company will need one.
IDORP Oversight and Basic Structure
So what’s the structure of an IDORP? My CCO friend described these elements:
- Senior leadership team (name, role, phone numbers)
- Facility coordinators (name, facility, phone numbers)
- Background and Purpose of the IDORP
- Scope of the IDORP
- Triggers for plan activation
- Potential actions to be taken
- Incorporate CDC recommendations or other guidance
- Steps are discretionary with the IDORP team; none are mandatory
- Who owns the plan
- Effective date and version information
Those points align nicely with business continuity plans generally. You can see the same themes in FINRA’s pandemic preparedness guidance, which we looked at last month. Much of the goal here is just to create a plan and assign responsibility to specific executives, so there won’t be confusion when the pandemic actually arrives. But really, that’s just as important for hurricanes, blackouts, or any other sudden disruption.
The points that are specific to disease start with “Triggers for plan activation.” In the ideal world, you tie those triggers to some disease risk framework from public health authorities. For example, you could tie your program’s triggers to the World Health Organization’s classification of pandemics, which works on a scale of Phase 1 through 6.
I mean, we’re a bit late to that party with Covid-19; but other disease outbreaks will happen again. Tying your policies and procedures to the WHO framework provides clarity about when you take steps; after your IDORP first identifies who will take those steps.
Disease Control Steps
The other important point with an IDORP is wrapped up in this line from above: “Incorporate CDC recommendations or other guidance.”
That’s where compliance, HR, and business operations leaders need to work together to devise policies and procedures about how to handle potentially sick employees and visitors to corporate locations. The steps need to be clear, specific, and relevant to employees’ daily lives.
For example, from my CCO friend’s IDORP…
- Associates who have symptoms of respiratory illness are recommended to stay home and not return to work until they are free of fever (100.4° F or greater using an oral thermometer) and any other symptoms for at least 24 hours, without the use of fever-reducing or other symptom-altering medicines (e.g. cough suppressants).
- Instruct associates to clean their hands often with an alcohol-based hand sanitizer that contains at least 60 to 95 percent alcohol or wash their hands with soap and water for at least 20 seconds. Soap and water should be used preferentially if hands are visibly dirty.
- Communicate with external vendors who provide onsite services, such as security, food services, janitorial services, etc., to communicate our expectations during the outbreak and to find out their own protocols for safety and protection during this period.
That’s the level of specificity an IDORP needs — right down to what temperature constitutes a “fever” and how one defines “fever-free;” or the amount of alcohol in hand sanitizer.
I also like that third bullet point about working with your third parties to incorporate them into the IDORP. To a certain extent, that should be familiar ground to compliance officers, because you’ve been doing the same with your third parties for anti-corruption issues for years.
For example, plenty of companies ask their third parties to certify the party’s level of FCPA awareness and compliance; and for those parties whose own compliance program is poor, you might require them by contract to meet your higher standards. We’ll need to do something similar with IDORPs for disease control.
So whoever is on your company’s covid crisis team — those people will need to identify sensible disease control steps for their organization, convert them into relevant policies and procedures, and then communicate that plan throughout the enterprise. Then local business unit leaders will need to be responsible for putting those IDORP steps into practice. (Email me at [email protected] if you want other example steps.)
Because even when the high point of the curve fades, Covid-19 itself will remain with us for quite some time. The challenge is to develop a “covid-aware” corporate culture for the long haul.