The COVID-19 pandemic is disrupting global financial markets and is creating panic, uncertainty and distraction in many operations of global corporations. The severity and global scale of the crisis have impacted business resilience to a large extent, leading to businesses rushing to validate their preparedness and effectiveness during this time of crisis. The reliability and integrity of financial and operational information very much depends on strict compliance with new regulations, policy-based guidelines, and processes protecting the assets, workforce, workplace and resources necessary to conduct and sustain business. The viewpoint expressed in this document re-examines and suggests improvements to a corporate resilience framework and how to proactively take adequate measures to restore business functions in times of crisis.
The Corporate Compliance function is associated with ensuring compliance policies and coordination of organizations’ business functions based on robust integrated policy-based standard operating procedures and audit management functions, which depend on people, process and technology.
A strong Corporate Compliance framework and principles that govern risk controls are essential to report observations and manage/recommend actions related to potential non-compliance, negligence or impropriety during uncertain times.
The severity of the current COVID-19 crisis has been very profound and has led to a slowing global economy. The dollars to recover from losses for most corporations has already eclipsed the Great Recession of 2007-2009 and the dot com crash at the beginning of the 21st century. Unlike the Great Recession, that was financially centered in its origin and resolution, the COVID-19 crisis is operationally centered. This means that economic impacts from this crisis are driven by a breakdown in business operations due to health-related closures. The financial stimulus provided by governments around the globe is merely a bridge to the other side of the crisis – which is business operations recovery. Once recovery begins, GRC/IRM will provide visibility of interconnected risks (i.e. third party, digital, business continuity, health and safety, legal and ethics and compliance risks) that businesses must navigate to succeed
A Chief Compliance officer is responsible for supporting Compliance Policy management which includes sourcing/analysis of raw data and information from various regulators, legal experts, industry bodies and corporate best practices. This is to sustain organizations operational efficiency, business continuity, loss recovery and overall responsiveness to rebound from the impact of COVID–19 outbreak.
The role of Corporate Compliance Officers is increasingly important to manage the crisis, and the consequences, through a data-driven approach that identifies specific causes and executes historical review simulation to prevent risks from accelerating into high-impact levels. Below are some of the critical compliance management preparedness aspects in terms of people, process and technology.
Compliance Preparedness: Pillars of Corporate Resilience
- People: When large corporations are reeling from a crisis, it’s important to abide by ethical and practical policies to safeguard and enforce ethical employee behavior within the organization, as well as in relationships with government officials, shareholders and business partners, to maintain integrity of corporate values. Address key questions around the creation of a virtual workforce, ensuring plans for seamless workforce return and seamless operations.
- Process: The various compliance process objectives should align with the overall corporate GRC vision. These should focus on having impact on enabling/improving/updating existing business resilience plans – including business continuity management, third party risk management, physical asset security, seamless operations across key business processes and data security – in line with communication from regulatory and local governments.
- Technology: The data assessment, electronic forms of evidence, news feeds, crisis management systems, virtual collaboration tools, modernization of technology infrastructure, supply chain management and implementation of risk controls, are all essential to detect any inconsistencies in compliance systems which may impact reputation, brand and recovery in operations. These are necessary to ensure continued regulatory compliance and reporting at times of a COVID–19 outbreak.
Moving Toward Corporate Resilience: Vertical Risk Visibility – IRM
In order to be more resilient, enterprises will have to revisit their entire GRC framework as they go through this forced transformation to address the new evolving business model. What’s also important for businesses to restart, and regain, lost ground is the need to look at risks both vertically and horizontally. They will need a common risk view across operations, strategy and technology; hence, the forced shift toward Integrated Risk Management (IRM) – aided by principals such as risk-informed strategy, digital risk management and rapidly changing global ecosystems
a. Information Technology Risk and Compliance Management
The survival of an organization during this challenging time is very much in lockstep with managing information technology risk and compliance, and how effectively it shares, updates, and prioritize policies and actions to deliver interim IT operations, infrastructure availability and support.
The operational resiliency expected would be to:
- Identify risks through IT-related measurement strategies (metrics, indicators, computation methods). Leverage internet news feeds from regulatory bodies, third party providers, government and quasi-government health agencies, to forecast interim IT operations plans for information systems recovery, and then decisively implement emergency operating procedures to allow a workforce to resume working remotely.
- Data storage, security and retention plans to manage information throughout the information lifecycle. Implement classification scheme for access, use and transfer of data, revise storage, retention, disposition and retrieval of information guidelines.
- Leverage digital technologies like AI/ML to ensure key process controls are automated. Monitor external regulations and the delegation of authority of policy and documentation changes required, along with regulatory requirement changes across geographies, that could be automated through Robotic Process Automation (RPA) for policy authoring, communication and storage.
- Add predictability to the IT processes using machine learning models. This way, an organization will be aware, as much as possible, of possible distress scenarios in future, i.e. when the next ATM failure will occur.
- External reporting to regulators and other stakeholders can be revised to define updates to dashboards, alerts and the appropriate level of details/abstraction, based on a broad network of information sources. This helps remove any risk of non-compliance, even in times of crisis.
- Build robust collaboration platforms to cater to the needs of a virtual workforce.
- Secure cloud-enabled infrastructure and security practices to ensure minimal infrastructure impact in the future.
b. Managing Third-Party Risk and Business Continuity Planning Management:
- It’s essential to revisit measurable indicators and thresholds of third party risk management to protect an organization from non-compliance or misconduct by vendors.
- Leverage financial methods including insurance and the establishment of reserves, including any supply chains that may be contingent on obtaining insurance from third party vendors. Supplier contracts have to be revisited to ensure compliance to operate within regulated industry requirements during a pandemic.
- Identify risk trends faced by vendors based on industry, workforce size and geography, and monitor changes in underlying factors to predict any potential disruption to business continuity.
- Short-term versus long-term planning to analyze vulnerabilities and the likelihood and impact to a third party vendor’s business operations.
- Stress test current plans to ensure the breaking point is well understood across the enterprise and put in place action plans to mitigate the same.
c. Policy and Documentation Compliance Management
- External Regulations Monitoring: Identify international, national and financial industry regulations to collect and interpret regulatory change data to incorporate into relevant corporate policy guidelines, e.g. employee, third party, government, stock-exchange notifications and IT governance.
- Assess impacts on business continuity by implementing corrective controls based on measurable data including guidelines to operate in challenging times.
- Consistency in policies and documentation, and dissemination of the same, should align with overall organizational objectives to comply with applicable laws and minimize conflicts of interest. This helps to maintain transparency and provide accountability by senior management.
- Awareness of policy changes should be swiftly enabled through conference calls, policy training modules, helplines and the availability of compliance officers and will help an organization respond to inquiries from internal and external stakeholder commitments.
- Establish mandates and standards of doing business in uncertain times to improve trust, confidence and reputation.
d. Audit Compliance Management
- Define independence of senior management for independent assurance to the board and shareholders to help audit and monitor compliance objectives. Re-define senior management roles and accountability to ensure compliance officers are able to champion the management of business continuity policy guidelines.
- Ensure continuity in accountability of audit function through well-documented compliance guidelines segregating roles of the audit team to ensure highest levels of corporate governance standards.
- Define a clear communications strategy for both external and internal communications.
- Report defective controls and any alleged misconducts while operating in a time of crisis to ensure transparency in operations.
- Periodic evaluate thresholds and organizational change management at a pace to keep up with new regulatory changes, and without disrupting the operating model of respective businesses and functions.
- Work toward providing exceptions and waivers without compromising any local, national and international regulations or laws. Operate with rigor during any implementation of business continuity intended to identify any non-compliance.
Infosys -MetricStream Point of View
Although there have been pandemic threats in the past, COVID-19 is the first one to fully crystalize in many countries at the same time. As a result, there will be lessons for boards, senior managers and all three lines of defense to learn from the current situation. The stressed financial markets and the tightening liquidity have begun taking its toll on corporate balance sheets. The role of the GRC/IRM function has never been so much in the spotlight and the compliance management and operational resiliency of organizations are being tested to their limits. Thresholds in risk controls are being re-examined and compliance policy management is at the forefront of every executive’s mind. The continuous and rigorous preparedness in ensuring regulatory compliance obligations are essential to the very survival of organizations in these very challenging times and will provide a realistic path to recovery while the world grapples with the “new normal”.
For customers to rapidly adopt and upgrade their GRC/IRM offerings, Infosys and MetricStream have collaborated to launch the GRC-as-a-Service offering. GRC-as-a-Service is a unique proposition to give customers a head start in their GRC adoption and expansion journey. This digital offering from Infosys and MetricStream is a subscription model to provide risk an compliance oversight for the enterprise, allowing customers to leverage the benefits of a GRC platform and navigate through the strictest and most complex regulations. By deploying this cloud-based GRC solution, customers will gain on costs, data volumes, monitoring and maintenance.
This digital offering will help customers quickly build economies of scale through switching subscription tiers – faster ramp-up and ramp-down through a core-flex model – committed monthly costs and incremental unit pricing based on defined pricing parameters, i.e. volume of tickets, etc. This covers the cost escalation of bringing in a transparent subscription grid pricing model with clear standard operating procedures (SOP) for cost calculation and SLA metric tracking using GRC ticketing tools.
GRC Capability Model Red Book