When a pandemic spreads, it challenges key social infrastructures such as healthcare systems, economic life, socio-economic structures, key institutional agreements, communities and day-to-day family life.
This is what happened with the spreading of the Covid-19 pandemic, which forced people and companies alike to adapt to new ways of living and new ways of doing businesses, by adopting methods which were not the outcome of aware strategic resolutions, but of a necessary choice.
Now, after a year from the beginning of the emergency, after getting used to do our best during the pandemic and, moreover, now that we start seeing a way out, we tried to think back and identify the lessons learned to provide a range of topics which the emergency forced us to consider and act upon and which will become the new normal in the post-Covid era.
Smart Working
All organisations had to adopt remote working due to the spreading of Coronavirus and the subsequent lockdown imposed by the Authorities.
Remote working, resulting from an obligation, lead many companies not yet ready to work with this new method, to quickly implement technical and organisational solutions which could guarantee business continuity.
The latest report by the Smart Working Observatory of the Milan Politecnico shows the scope of this change: 97% of big companies implemented remote working during the most difficult phase of the emergency, against 94% of Public Administrations and 58% of SMEs, for a total amount of approx. 6.5 million workers, i.e. one third of Italian employees. A surprising number, more so if compared with the 570,000 smart workers identified in 2019.
After this experience, remote working will become a more common praxis, with a greater balance between days working in the office and days working remotely, though it is not yet clear whether agile work will be introduced, which implies an actual revolution in the way of working from a regulatory, organisational and managerial point of view, or simply remote working.
Actually, smart working does not mean doing remotely the same things in the same way as when working in the office; when people are always online, with different rhythms and often in an asynchronous way compared to colleagues, it is necessary to develop working schemes, daily routines, communication and interaction methods, as well as planning models, much different from those used in a traditional working environment. In particular, a smart working strategy needs to be defined, clearly setting out, sharing and communicating each person’s tasks and based on transparent information, with planned interactions supported by adequate tools, also as concerns quantitative and qualitative performance results. In order to collect such results, moreover, a review of organisational processes is needed, as well as their understanding and acceptance by the employees (particularly for the changes that they may imply).
Smart working necessarily tends to isolate people, therefore internal communication and transparency are key factors to turn it into a successful tool; this should be facilitated by the attention that managers have shown to their collaborators and the latter’s ability to react promptly to the changes imposed by the external context.
Despite the physical distance, a shared intent among operational teams and management has been created towards a common target, i.e. the survival and sustainability of the Company.
Cybersecurity
The informed resolution to apply smart working in the future necessarily implies an analysis of all issues emerged during the pandemic; our houses and our apartments have become smart offices and families and home assets are now an integral part of companies.
For this reason, remote working amplifies a series of risks, among which the cybersecurity risk, which need to be known in order to be faced, managed and mitigated.
As always when speaking of cybersecurity, the topic needs to be faced both from an organisational and a technical point of view.
As mentioned above, the pandemic further favoured the use of personal IT devices also for “professional” reasons (Bring Your Own Device – BYOD), not just mobile devices, but also personal computers. This gave rise to new vulnerabilities (e.g. how are these PCs protected from virus, malware, etc.?, how is the communication with the corporate network safeguarded?), thus increasing the risk of compromising the corporate network through the home infrastructure, but, once more, it clearly showed that besides technological risks are organisational risks and risks relevant to people, employees and collaborators, who were forced to isolation by the pandemic, with a lack of sharing and exchange of information with colleagues, leading to a further spread of phishing and social engineering attacks.
These risks need to be managed and mitigated, both from a technical and organisational point of view. It is thus advisable for companies to perform assessments to evaluate the strength of their infrastructure and of their applications, to implement prevention and protection of key information both transmitted and filed and stored on devices.
From an organisational point of view, it easy to imagine that the areas of intervention are many, starting from training and raising people awareness on cyber risks, indicating how to identify and manage possible phishing or social engineering attacks and, last but not least, devising policies and procedures aimed at guaranteeing that people work according to clear and well-defined rules and procedures; nothing has to be left to chance and to improvisation, also in terms of roles and responsibilities.
Data Protection
Another topic that has been brought to the fore further to the healthcare emergency is data protection, which once more turned out to be an issue which needs to be carefully considered not only by experts, but in the next future by all companies, also by those that so far have not treated it as a priority.
Data privacy is actually being discussed since more than one year by the Government and local entities, as well as by private companies, as concerns its correct application. The Italian Data Protection Authority regularly intervened in this last year inviting data controllers and data processors to strictly comply with the indications provided by the Ministry of Health and by the competent institutions, and not to implement autonomous initiatives such as the collection of data on the health of people and workers not regulatorily provided by the competent authorities. Examples are the “Shared protocol regulating the measures to control and contain the spread of Covid-19 in working environments” adopted by the social parties, or the main measures adopted reference to the Covid-19 pandemic emergency.
Such regulatory framework not only provides useful indications on the correct data processing by public administrations and private companies, but also guarantees compliance with the data protection regulation, for example in cases of: i) measurement of body temperature; ii) serological tests on employees; iii) collection of employees’ data on the possible exposure to Covid-19 as a condition to access the workplace; iv) processing of data relevant to vaccinations of employees on the workplace, not to forget the role of the competent doctor in the collection of such data, in his role as connection between the healthcare system and the working environment.
Digital Transformation
Since the end of the COVID 19 period is at least in sight now, many businesses are thinking about the possible actions to take to restore their full activity and to be more competitive in the new context in which they will operate.
We already referred to remote working and to how it will continue being applied by 54% of companies, even after COVID. But can’t remote working be already considered as the starting of the Digital Transformation process? We believe so. Technologies used for remote working allowed holding virtual meetings, facilitating collaboration and knowledge management and often increasing efficiency of processes, as regards both internal business operations and operations between companies.
Extending the scope of our analysis and considering the Digital Transformation as the utilization process of digital technologies to create or improve customer experience, reengineer business processes and adapt the way companies work, there are many areas which business investments will focus on over the next months.
By way of example, an area which can take a significant advantage – particularly in terms of cost saving – from digital transformation quickly and with limited investment is the automation of internal repetitive processes, strongly depending on the human factor. Within the administration area, the bak-office function, as well as within specific segments in the financial intermediation sector – such as anti-money laundering or client onboarding –, Robotic Process Automation (RPA) solutions, through the development of BOT software, are becoming more and more common in all industries and for companies of all sizes.
These solutions have become more useful – or even necessary – when the availability of people became a critical factor, as the COVID period could demonstrate. They also allow reducing considerably the number of errors, speeding up processes, tracking and subsequently auditing processes, as well as being integrated without any impact on existing information systems.
Lastly, a real drive to digital transformation could also come from the initiatives that will be introduced soon in Europe through the Recovery Plan, which will implement the Next Generation EU programme and which will allocate a relevant portion of total 200 billions available to the mission “Digitalization, innovation, competitiveness, and culture” - which aims, among others, to “support the digital transformation and the innovation of the production system through incentives to invest in state-of-the-art and 4.0 technologies, research, development, innovation, and cybersecurity”. But this will be more thoroughly discussed in following editions of TopHic, once there will be a complete overview on the situation.
The administrative liability of corporations (Legislative Decree 231/01)
With reference to the so-called “231” liability of companies, it must be specified that COVID-19 determines or increases some potential risk profile that can be divided into two categories: indirect risks and direct risks.
Indirect risks consist in a further possibility to commit some offences already included within the list provided by the 231 regulation but which, if considered by themselves, are not strictly related to the management of the COVID-19 risk within businesses. Those companies who adopt a 231 Model should have already considered such risks as relevant within the risk assessment activities during the Model implementation process and already taken all proper actions and adopted all proper procedures to prevent their occurrence. It is possible, on a case-by-case basis, to evaluate the chance to strengthen such procedures, adjusting their application, if needed, to align them to the different organizational context arisen during COVID-19.
Besides indirect risks, the pandemic determined the rise of a risk that we could define as direct for companies, i.e. the risk related to the COVID-19 infection. Therefore, 231 Models should specify the set of protections implemented to ensure a valid and effective management system, which includes all specific measures to fulfil the legal obligations to safeguard employees’ safety and health. In fact, the Public authorities identified (and will continue identifying) a set of measures to contain infection in different sources, i.e. law decrees and Presidential Decrees issued over the last months, as well as in the shared Protocol regulating the measures to fight and limit the spread of COVID-19 virus in the workplace, subscribed by the Italian Government and social partners on 14 March 2020 and further integrated and annexed to Presidential Decree dated 26 April 2020 (and, lastly, in Presidential Decree dated 17 May 2020).
In brief, a business protocol will have to be prepared, clearly stating the measures introduced to implement the instructions included in the Protocol, as well as all actions taken and decisions made by the employer to apply such measures (e.g. minutes and registers), information reports to employees, as well as the reports prepared by the bodies in charge of supervising the compliance with the new procedures. This protocol will be included, in fact, within the set of protection measures implemented by the employer in the organization, in order to prevent committing offences as provided in 231 regulation.
In this emergency phase, a determining role is played by the Supervisory Board, which is in charge of assessing the suitability of organizational models, supervising the observance of the same, and ensuring their update so to also limit the risks deriving from Coronavirus.
As it happened during the health emergency, when a complete and effective business compliance was important to properly safeguard employees’ health and exclude any liability for the company, companies will need to adjust their organizational models, 231 Models and the relevant supporting documents in the future as well, based on all updates and evolutions that they are going to face, as the internal and external labour landscape will not be the same as it was at the beginning of 2020.
Business models
In this historical moment, that is still characterized by uncertainties, it is difficult to make forecast on how business models of companies will evolve over the next months and years, but we could identify some trends that are becoming more common among companies, as well as some aspects that we deem should be analysed.
As concerns M&A, we are assisting, in our quality as M&A advisors, to an increasing request by companies for financial support, mainly through equity, as well as for support with the sale of their shareholding by entrepreneurs. However, unfortunately, due to the widespread worsening of financial statements data, the difficulty to carry out engagements and, subsequently, to achieve a positive outcome of the operation, increases. Lastly, this leads to a higher selectivity by possible acquirers, due to the higher systemic risk perceived.
With reference to investment areas, besides the mentioned considerations on remote working, cybersecurity and digital transformation, we also noticed the will of groups to concentrate their internal resources on core business functions, so outsourcing more non-core processes, particularly in the administration area, granting a higher flexibility and, at certain conditions, a higher efficiency and cost saving.
It is easy to imagine that in such a context, the appetite for automation, even if it is not the priority for all CFOs or entrepreneurs, will also have a crucial role, to increase the efficiency of both in-house and outsourced processes.
We therefore expect these to be the most important development instructions over the next months, especially when the current aids and safeguards to employees will stop being effective, leaving space for restructuring more as a need, rather than as an opportunity.
The quality of outsourcers will become a determining factor and small and local outsourcers will be certainly replaced by larger ones and, most of all, international ones, which are more efficient, more technological and more able to assist companies with their internationalization process, which is crucial in a world that demonstrated how territorial diversification can allow limiting the difficulties related to local restrictions.
Internationalization is a matter that also concerned many resources personally, who, due to the pandemic, came back to their country of origin, even in the long run, when foreign employers granted the possibility to work remotely also outside the national boundaries. This gave rise to many questions about permanent establishments and subsequent tax impacts for the employer, which are usually underestimated. Moreover, many expats had to (unexpectedly) move temporarily (e.g. came back home for some months), with a subsequent complication in the definition of their residence, also from a tax perspective.
