In my first post on this subject, I explained why COVID-19 (COVID) passes the materiality test. But this begs the question: If it’s a material topic, do companies need to add it to their list of ESG risks and report on it for years to come? Do companies need to consider future pandemics?

The truth is, it’s not really about COVID. Rather, COVID is a magnifying glass pointed right at companies’ existing vulnerabilities. Which topics are under the lens?

1.       Employee health and safety, including mental health

2.       Human capital

3.       Crisis management and business continuity

4.       Supply chain resiliency

5.       Technology and cybersecurity

I believe companies need to use this year’s disclosures (financial and non-financial) as an opportunity to explain how they managed the risks that COVID has brought to light in the following five areas:

Employee health and safety: This is the obvious one on the list. Companies should answer how they kept, and continue to keep, their employees safe during the pandemic. However, one aspect that should not be overlooked is how companies supported their employees’ mental health during quarantine and lockdown (which lasted several months in most countries and it has been recently reinstated in others). Did the company provide assistance to employees through the uncertainty, isolation, and unfamiliar circumstances of a very different work/life balance?

Human capital: Due to the negative economic impacts of COVID, many companies needed to lay off employees. How companies dealt with this situation is key to their ability to recover and attract talent when their business bounces back. Companies should show how they balanced their short-term need to cut costs, with their long-term employment strategy.

Crisis management and business continuity: Is the company able to maintain essential functions during and after a disaster? This question is not specific to COVID and is one that all businesses should be able to answer. Organizations got a chance to test their crisis response processes during this unprecedented time. The learnings and (hopefully) improvements should leave businesses better prepared for future events.

Supply chain resilience: Activities that companies needed to undertake to enhance the resilience of their supply chain before the pandemic remain even more relevant after the pandemic: having a diversified supply chain, nearshoring, having inventory buffers, and standardizing when possible. The pandemic has tested even the strongest of supply chains and choosing suppliers based solely on lowest cost is no longer an option. I hope that this is not just a movement away from Chinese suppliers but a movement towards more strategic supply chain design for years to come.

Technology and cybersecurity: Were employees able to work remotely, literally overnight? How well was the company prepared to manage cybersecurity threats? Has the company already invested in technologies or processes that address these challenges? Working from home and digital collaboration have their benefits, but the shift to a largely digital workspace created perfect conditions for an increase in cyberthreats. The FBI reported as many as 4,000 complaints a day about cyberattack, which is a 400% increase from what they were seeing pre-COVID. In 2020, Honda and Carnival (the cruise operator) were the target of cyberattacks, and there are many other such examples. Companies with already strong cybersecurity programs and who had prepared their employees for phishing attacks were ahead of their peers. Whether your company was behind (and had to step up its game) or was ahead (and has evidence to back it up), this is something investors and Boards of Directors are keen to know.

Whatever you report this year, you will want to address these five issues.

In our third and final post on COVID, I will outline five things CEOs should address in their letter to shareholders and stakeholders.