Busy season has taken on a new meaning because of coronavirus concerns, which have forced firms and other organizations to quickly set up alternate work environments. Les Nettleton, director of information technology at New Orleans firm Bourgeois Bennett, has firsthand experience in crisis planning, having gone through Hurricane Katrina in 2005. He shares advice for organizations assessing the feasibility of longer-term remote work in response to the coronavirus.
What you’ll learn from this episode:
- Why constant, regular communication matters for coronavirus scenario planning.
- The importance of flexibility in those plans.
- Nettleton’s business interruption lessons from Hurricane Katrina.
- The technology questions organizations should ask themselves to set up at-home work for employees.
- Considerations for remote workers who are unaccustomed to regularly working from home.
Play the episode below or read the edited transcript:
To comment on this podcast or to suggest an idea for another podcast, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the outbreak, visit the JofA’s coronavirus resources page.
Neil Amato: Les, before we get into talking about coronavirus specifically, I want to talk some about your experience with significant business disruption caused by external, extraordinary events. Can you tell us some about that?
Les Nettleton: Sure, absolutely. Being a New Orleans-based firm, in August of 2005 we experienced the city of New Orleans being 80% destroyed by Hurricane Katrina. That happened on a Monday — Hurricane Katrina came through Monday, Aug. 29.
The interesting part in comparing it to what’s happened with the coronavirus is that we had three days’ warning that the hurricane was going to hit. We knew on the previous Friday that it was pretty much going to hit us on that Monday. And we had to go ahead and make all of our preparations in a very short period of time.
The thing about the coronavirus is that we all know what the possibilities are. Now, we don’t want to be fear mongering, but we want to go ahead and say, “This is a possibility.” Therefore, can we go ahead and start implementing things now, start looking at our policies, start looking at our technologies to be able make this a little bit easier?
I think the big thing that I saw after Katrina was that a lot of people said, they were basically in denial when I went around the country and talked about this, the old thing, “Well, it can’t happen here.” Well we in New Orleans always thought that, too. We always heard about the big hurricane coming, but then we always heard, “It can’t happen here.” So we were in a form of denial.
I think as I travel around and talk to people, that’s one of the things that I come up with is that. “Well, we don’t live in an earthquake area.” “We don’t live in a hurricane area.” “We don’t have to worry about any of that.”
But then something like this creeps up and it’s the same thing I think when we look at cybersecurity when you start looking at what if something takes your networks down. Are you able to withstand that? Is that built into your business continuity plan?
The thing we learned most of all though from Hurricane Katrina was that personnel issues were our top priority. We thought it would be connectivity into the office. We thought it would be trying to get our business back up and running, generating revenues. And what we found out, though, was we had to basically take care of our people. They were our No. 1 resource and had been going through this type of tragedy or experiencing these types of things. The events were just too overwhelming for them.
As we look at the media and look at all of the things that are happening with the coronavirus right now, it’s starting to approach the same thing where you have a group that’s saying, “Ah, it’s not going to happen. It’s all overblown.” Then another group that’s saying, “No, this has the possibility of being out there.”
So as a good business we really have to say, “This is a possibility. It could happen. What can we do to do advanced preparations for it?”
I think one of the major things right now is that we’re in busy season. And CPA firms being a busy season, what does that mean? No one wants to meet. No one wants to get together and do planning. We don’t have time for that.
The firms that are going to come out really well out of this, I think, are the ones that are meeting every single day, even if it’s just for a few minutes. Get together, get a think tank going, and start to discuss what your options are. What has changed from the previous day? Because this is a fluid event, you can’t just say, “Let’s meet one time, and we’ll go ahead and meet in a month.” Because what’s happening just this past week has changed tremendously.
The final piece on that, though, also and one of the things we learned from Katrina was you really need to be capable of thinking on the fly. We took three steps forward and one step back for at least four weeks after Katrina. But what we had was a really good think tank. We had a really good group of people that could sit back and say, “What are the options that we had?” And at that point in time when we started our think tank, we said, “No answer or suggestion is wrong. Everything is taken into account no matter how simple or how silly it might seem.” Some of the silliest things that we came up with were the ones that we wound up implementing.
So I think, get a group together that can be able to think on the fly and meet as often as possible to talk about this type of thing.
Amato: That’s a really good point. You touched on the human element and its importance, but also I guess the ability to change your plan regularly if you have such a plan in place. So we’ll get back to that human element in just a bit. As you mentioned, businesses are having to adjust to this global crisis. It’s not a regional event like a Hurricane Katrina, but what have you learned from dealing with disaster that you think listeners can apply to a coronavirus strategy?
Nettleton: Well, I think it depends on when you start looking at business interruption and saying, “What happens during a business disruption?” For Katrina, our firm was basically down for four weeks. We had no revenue being generated because we were out of our office. Our building — we could not inhabit it, and we had to start working at our satellite office, which is about 60 miles away. So that kind of threw us in for a loop.
I think one of the things that we started to look at and saying, “What can you do?” and especially from the business interruption [standpoint]. First of all, we realized that you cannot write a business continuity plan that covers every single possibility. It’s just impossible. You can have a business continuity plan which touches some main pieces. You can say, “Give me a vendor list, give me a password list, give me an employee list,” things that go in there. But to say if this happens my response and recovery is going to be this, you can never put those two together, because that’s what we learned. We had a nice, 200-page business continuity plan before Katrina and then wound up throwing it into the trashcan, and it wound up being melted down to about 10 pages long.
Everything that we had written down we just never expected it to be a disaster which destroyed the entire city in which we did business. So we never wrote it for that. Then we realized at that point in time, you can’t really have a business continuity plan that covers every possibility.
But there’s a couple of things we were looking at from the standpoint of, how can we prepare for this whole thing? The first thing we did this time for the virus was we went ahead and checked out our insurance policy. We wanted to make sure that we had business interruption insurance up and viable. We wanted to make sure, even though we’ve paid our insurance policy, to make sure that the business interruption was paid for, that we hadn’t made some sort of mistake down the road.
The second thing was, though, making sure your business interruption policy covers something like this. If it’s not a governmental shutdown, will your business interruption come in and say, “Ah, wait, you know you’re just choosing to have your firm shut down, therefore, we’re not going to cover you.”
So I think really now is a good time for everybody to pull out the business interruption policies and start looking at those and making sure that you understand what’s in your business interruption policy.
You really need to be looking at the remote connectivity to make sure it’s working optimally. I know we’re going to talk about that in a few minutes. But being able to remote in to your office — you may want to at this point in time if you were thinking of doing something with your firm’s internet speed, you were thinking about, “Well, you know, maybe right after tax season I want to ramp up our internet connectivity.” Now might be a good time to go ahead and do that, because it would allow your end users to be able to work remotely.
If you’re going to make the call anyway, just a few months in advance go ahead and make that change now or least look at your pricing of doing that.
The big thing is policies. I’m always fascinated about firms’ policies and reading some of my companion firms down here of the policies they have or the policies that they don’t have. The problem, in reviewing these policies, is that some people have PTO or paid time off policies that may not fit a widespread event like coronavirus or a cyberattack.
If your people have to take time off, do they have first of all the time saved? Have they saved for a rainy day? Maybe not. Then what are you going to do with those people if they’re a valuable employee and they don’t have any time left off, but you’ve got to basically shut down and you’re not able to be open for a couple of weeks, does that employee go unpaid?
Now the opposite side of the coin has to be for your employees that have put away for a rainy day, do you then say, “Well, we’re going to go ahead and take that out of your PTO, but you people that don’t have anything, we’re going to go ahead and pay you anyway.” So there has to be some sort of an equitable solution to this to find out how are we going to go ahead and make sure that we cover all of our employees and handle our personnel, handle our people with kid gloves, and be cognizant of the issues that they’re going to have.
You may take this time now to start looking through your PTO policies. What do the PTO policies say? Are they equal across the board for all levels of staff? If not, then you’ve got to go ahead and start looking at what you can do to change that.
Amato: On a technology front what advice would you give for organizations that suddenly need to have a bunch of employees working from home? Do they need different hardware, applications such as Zoom or Slack? What on that front?
Nettleton: Well, that’s a great question, Neil. The concept of working from home as a long-term technologist takes on two flavors. Flavor No. 1 is that you’re going to go ahead and take your work computer. You’re going to bring it home, and you’re going to be able to work on the things that you normally work on at work, at home, where your icons are familiar, the operating systems are familiar, everything has a sense of familiarity to it.
The one issue then becomes what about employees that want to use their home computers to come into your systems, and how are you handling stuff like that? So it’s making sure, No. 1, going to your employees and saying, “Here’s a listing of equipment that you should have at home and that you will need to have these things in order to viably work from home.”
What about your internet connectivity? Do you have a viable speed? We have here at the firm a high-speed line out to the internet. However, people at home may not have a high-speed line. If not, then they’re going to experience a significant slowdown in the operations from going through.
Right now, a lot of our systems are no longer housed in-house. We have moved into the cloud. So our document management package, our tax package, our workstream package, the email — these are all hosted externally to the firm. So anybody could take one of our computers, go to their house, or go to any place that they can have an internet connection, and they can work as if they were working from the office.
The problem with working on a public internet connection, though, going to a McDonald’s or a coffeehouse or something like that — or a library — is that you’ve got to be really careful from the standpoint of somebody hitting on your machine. Making sure that your machine maybe attaches to an external VPN and does some sort of encryption without you going straight through.
The second piece there, though, has to be who’s responsible for addressing issues with the home user? So far I’m the only person here from a technological standpoint. So my name is being thrown around constantly.
So, I was asking yesterday as we were having our meeting, “What are my responsibilities going to be here? Am I going to be responsible for maintaining our systems remotely?” We have the ability to get onto any of our computers through a remote access server, and if somebody is having an issue at home, I can hop on their computer and help them out as long as they have internet connectivity.
The issue becomes when a person has an issue at home that can’t be fixed remotely. Now what do I do? Am I going to be responsible for going to these people’s houses? How are you going to handle your IT infrastructure when your IT infrastructure no longer sits in-house? So that piece of complication has to at least be addressed. I don’t think there is an easy answer for that, but at least you have to look at it.
The other side of the coin is if you’re going to allow remote home computers — not the work computer, but a person’s personal computer — to talk to your system, can you then verify that they’re running active virus scanning? That they have something on their computer that is virus scanning and it’s up to date. Can that be verified? Are they running any kind of malware? Making sure that any computer that — and this basically goes way across from coronavirus, this should be day-to-day practice — and computer that’s attaching into your network or attaching to your client files absolutely should have protection running on it at the virus scanning level and the malware scanning level, making sure that these computers are up to date.
We handle the updates of our own computers here in the office. We’re constantly updating to Windows 10. We’re constantly updating. We’re a Dell shop so we’re on Dell updates, making sure that the drivers for all of our computers are up to date.
But does the home user on their home computer do the same thing? I’m going to say, “No.” Therefore, is there a sense of risk involved when the home user starts to use their home computer to do work, rather than going ahead and using their work computer?
So I think that the thing that from our standpoint we are going to demand is that, if you want to work from home, you will be bringing your work computer. The secondary piece there is a lot of people that aren’t very technologically savvy will want to know, “How do I attach my computer from work at home? How do I get onto the internet?” It could be that you’re on a Wi-Fi. It could be that you’re bringing a network cable and plug it into your modem.
There’s a lot of different issues there. While we have some very sophisticated technical users here, we also have some that really aren’t that technically proficient and may have a lot of questions on, “How do I go ahead and connect out to the internet?” and is that going to be an issue that we’re going to have — well, it will be an issue that we’re going to have to fight, but how are we going to go ahead and fight that issue? Do you get into the finger pointing of, “Well, your internet provider needs to give you this,” or “Do you know what your Wi-Fi password is?” If you don’t know what your Wi-Fi password is, you’ve got to go to your internet provider and have them reset your Wi-Fi password. So there’s a lot of little-bitty things to look at from the work-at-home environment.
Amato: So you started to touch on it with Wi-Fi passwords at home and whether you’re using a cable or a wireless network. What’s a little more advice on how people can make work from home work, for lack of a better term?
Nettleton: I like that. A few things you need to be cognizant of: Making sure that your systems are not only up and running, but that your systems are up and running in a confidential manner. I’ll explain that in just a second.
Obviously there’s a difference between a firm that has your data hosted on onsite and your data hosted remotely. The remote ones are much easier to get to because you don’t have to come through the firm whether it be through Citrix or a VPN. You can go ahead and get to them more or less straightforward. However, what happens when you’re at home and you have kids at home, let’s say young kids.
Let’s say a person is working on a tax return and they’re inside the tax return and they’re entering information and then they get a knock at the door. They get up and they walk over to the door and they leave their computer up and running and the kid walks over to the computer and starts to hit on the buttons. Or what I’ve seen happen before is that, for example, we have cats. And my cat will walk right across the keyboard. If you watch a cat walk across a keyboard, they wind up hitting all kinds of buttons.
Now if I’m connected into my office and into my client’s data and there’s some sort of external influence, whether it be small hands from little kids or it be animals that are walking across the keyboard, you got to take that into consideration and say, “Well, how do I handle that?” Well, the easiest way is when you’re working at home, anytime that you get up and walk away from your computer, lock your computer; hit the Windows button and the L. Lock the computer. Then when you come back you basically put your password in. But it’s incumbent upon us to lock these computers when we walk away from them.
Now that’s a habit that we don’t have in the office as good as we should. If I’m simply going to walk down the hall or walk next door into my next-door office, I usually won’t go ahead and lock my computer. But if I’m at home and I’m working, I’m going to go ahead and lock the computer.
The other side of that is that we work with very sensitive, confidential information. I might have a person’s tax returns or their workpapers up on my screen as I’m preparing their return from home. If someone comes and knocks on my door, and it’s a friend of mine and I invite them into the house, I can’t leave that return or I can’t leave those workpapers up on the screen, because that’s exposing that client’s data to an external influence. Somebody might be able to grab all the information. I hope that none of my friends would, but that’s just not good business practice.
So again at that point in time, if you’re going to get interrupted for whatever reason, the best situation there is to either exit the program or lock your computer so that no one’s prying eyes can get into it.
I think the final thing and I know we’ve talked a little bit about this was from the standpoint of public networks. It’s just making sure that if you’re working through a public network, you have some sort of VPN that you can go to that is doing an encryption or a scramble on your information. That your client’s information is not being broadcast across the wire in just an open format.
Amato: Great. So not only do we get human advice, technology advice, we also get advice for how to deal with cats that walk across keyboards. Love it. How can organizations test out their VPN’s ability to withstand a larger percentage of their workforce using it?
Nettleton: And that’s a great question. I saw this through, I guess it was an article I was reading yesterday. A firm that I know is going to go ahead and they’re going to do two levels of testing for external connectivity back into their firm. The first level is they picked 15 people out of their firm this Saturday to work from home. They are going to go ahead and see what the threshold is, make sure that they’re able to have all 15 people work and not have any kind of slowdowns.
The next Saturday, a week from this Saturday, they’re going to have everybody go ahead and work from home as a test. Then also at that point in time, see what the thresholds are as to whether they’re able to go ahead and work properly.
So I think it’s the concept of you’ve got to set up some tests procedures and make sure that your people are able to get a connectivity into your office.
Now being a realist, I know that we haven’t built most of our firms from the standpoint of external connectivity to have the entire firm come in, back into the firm. So it may be something that we want to go ahead and look at and say, “Maybe you’re going to be slow working from home.” It won’t be as fast as being in the office especially if you’re running WiFi from home. But there again it’s the matter of end-goal-oriented, can you get your work done versus doing no work whatsoever?
Amato: So we’ve talked about the necessary technology from a management standpoint, a human standpoint. You touched on it with your retelling of the Katrina events. What about overall communication? How should that change, or what should be emphasized when suddenly people are scattered and a manager has no face-to-face contact with staff?
Nettleton: That is a great question, and I have to go back to Katrina really quickly on that. When Katrina hit on the Monday, we wound up where I had no contact with anybody until the following Thursday. Now the reason being is that we had walked out of here with everybody’s cellphone numbers. We could contact people, but not realizing that due to the hurricane the cellphone towers were going to go down. We had no way to go ahead and connect.
What we did at that point in time, though, is we developed an external bulletin board system and started posting back and forth on the external bulletin board system.
Now since Katrina we have an externally hosted exchange server. Therefore, our exchange server is not at the mercy of the building that we’re in. If the building that we’re in shuts down or has some sort of issue, then we’re not at the mercy of it being able to use email to coordinate different meetings.
So I think the concept of having meetings and being to do meetings is easy. It’s just you got to go ahead and start building your groups at this point in time. For example, we have an emergency response team here at the office. It consists of our managing partner, our administrative assistant, myself, and one other person from a department that would be a high-level department. And basically if there’s any kind of emergency where we’re outside of the building, we have a standard 9 o’clock in the morning and a standard 9 o’clock at night telephone call.
We get on a conference call and we start to discuss things of what’s going on. And if there’s nothing happening, nothing that we need to talk about, the call is ended. But the one thing that we did was we said, “We’re going to empower whoever happens to be on the call with the decision-making process.”
For example, if our managing partner can’t make the 9 a.m. call, then the people who are on the call have the power and the ability to make decisions for the firm of how we’re going to do things. We found that out after Katrina because it was almost impossible to get everybody together at the same time.
So, meeting and going through the meetings doesn’t have to be as hard as you think. There are many different ways that you can connect whether it be through text messages, whether it be through GroupMe accounts, whether it be through email, even getting together in person at external places, especially if you can’t come into the firm. I just think that that’s one of the easiest things to go ahead and handle if you prepare upfront. You’ve got to know upfront what your capabilities are and who will be involved in what process.
Amato: Les, this has been very informative and there’s obviously still a number of directions we could go with this discussion, but in the interest of time what would you like to add in closing?
Nettleton: Well, I think I have to go back to a lesson learned again from Katrina. No. 1, as we talked about before, was that we can’t be in denial. We can’t say, “It’s not going to happen here. It won’t happen here.” It could very definitely, possibly happen here. So we need to continue to plan. Don’t be scared of planning. Don’t be scared of getting together and talking about these things. It doesn’t mean that the thing is going to come. It doesn’t mean that you’re being a fear-monger by going ahead and doing planning. But you’re going to feel a lot more comfortable about your firm and your firm’s processes if you properly plan this out.
I think also, though, it’s really important for the management of the firm to come out with good, hard information that doesn’t have a lot of emotion in it, isn’t going one way or the other. Because what I’m seeing right now from this perspective of the coronavirus is two distinct sides. One is people that are saying this is the end of the world, the other one is saying that this is nothing. And actually you really have to find someplace in between.
Being a person who worked for 18 months to fix the Y2K issue here at our firm I’m always interested to hear people go, “Y2K wasn’t an issue.” It was. What we did was we planned for 18 months to make sure it didn’t affect us; therefore it became a nonissue. But if we wouldn’t have planned, if we wouldn’t have anything, then it would have wound up being an issue.
I look at this as being the exact same way. Now, yeah, we’re in the busy season. It’s not the best time to plan. It’s not the best time to put meetings together. But you really have to take this time to go ahead and start looking at all of the options that you have. Look at what the options are, and again I’m going to reiterate, you’re going to take three steps forward and one step back. Accept those steps back. It’s not a bad thing when you make those steps back. Don’t punish yourself over them or don’t go, “Well, that was a waste of time,” because at least you’ve made of steps forward. What you’re trying to do is simply from a day-to-day perspective, like we did during Katrina, make it to the next day.
Amato: Les, thank you so much.
Nettleton: Oh, you’re welcome. Glad to be here, Neil.