Blogs
Through the GRC Lens – June 2020
- Risk Management
- 22 July 20
3 min read
Has COVID-19 made us more empathetic?
Since the global workforce shift to working remotely, how have employees accepted and adopted to these new processes and work environment? Is the ability to return to the office a truly reassuring step toward normalcy? Companies leave no stone unturned while trying to bring back their employees to office, but has the focus shifted? – Let’s see what made it to the headlines in June – through the GRC lens.
A new paradigm
COVID-19 has brought in huge changes to the way we work, collaborate, and engage with our peers. Evidently, remote work is here to stay, and that makes it more crucial for both businesses and employees is to identify, understand, and embrace the advantages of agile working. But the rise of remote working, worldwide, has made communication more challenging. While on the positive side we see more adoption and acceleration of newer technologies by a broader audience, electronic means of communication is still alexithymic.
While this can make people feel that they are a part of a larger, although virtual, human experience, the current circumstances have changed the pace and cadence of peer interactions. New methods of connectivity allow face-to-face interactions; however, a sense of intimacy and understanding is lost, in the long run. Ultimately, there is a minimization of emotions, as we are exposed to fewer opportunities to tune into emotions, unlike in physical conversations.
Today, organizations are beginning to think about getting their employees back to office. And while this takes logistical and operational planning related to schedules, seating configurations, elevator usage, cafeteria usage, food delivery, and much more, it’s not just the physical health that they need to consider. The bigger question is, “Are your employees ready to come back?”
This unforeseen crisis, the rapid change in work environments, layoffs and furloughs, and the ever-changing cycles of disruption and adaptation have taken a toll on worker’s productivity and mental health. The new post-pandemic environment has made it imperative for organizations to address employee mental health and well-being more than ever before.
What does this mean for organizations?
A recent survey by Weber Shandwick and KRC found that ‘nearly half of employees are concerned that their employers will bring them back to work before it’s safe.’ In America, IBM polled 25,000 people and found that 75% wanted their employers to allow them to continue to work remotely at least some of the time, while 54% wanted it to be their main form of working after COVID-19, reports Management Today.
Marco Icardi, President for Europe, MetricStream, in his article, ‘After lockdown: Putting people first’, suggested, “While it is important that companies adopt these measures to help reduce the spread of the disease, they should also strongly consider how individuals may be feeling during this challenging time.” “To establish new policies, companies should involve their workforce in the decision-making… Although there are practical measures that companies can take to regain ‘normality’, the priority should be on their employees’ wellbeing,” he added.
With the acceleration of technologies like Zoom, Slack, and Teams, communication has gotten more structured and explicit. “Leaders must ask direct questions about what’s working and what isn’t, “ notes Amy Edmondson, professor, Harvard Business School, in a conversation with McKinsey. “We can’t be positively infectious with others unless we’re feeling inspired and sustained ourselves first. That’s what leaders managing high-stress positions need to do to take care of themselves and to then involve and take care of others,” adds Richard Boyatzis, Professor, Case Western Reserve University.
Enhanced awareness around mental health in the workplace
Although, mental health was a vital topic of discussion prior to the pandemic, COVID-19 helped amplify the issues around mental health and well-being, especially in workplaces. Uber introduced a global ‘Employee Assistance Program,’ that provides confidential counseling services to its employees and their family members to deal with stress and anxiety, Capgemini also started a guided meditation series, Ceat Tyres came up with an initiative called Cofit-20 to offer fitness and mental wellbeing session to employees. We at MetricStream, also started a mindfulness session focused on helping people towards their overall wellbeing.
Perhaps, the COVID-19 pandemic has brought physical and mental well-being to centerstage. Investing in the mental health of employees, will eventually lead to a more productive and engaged workforce. Experts suggest that acknowledging and addressing employee grief helps people build resilience. This probably is the biggest opportunity for companies to rebuild organizational health and overcome the stigma around discussions on mental and emotional health.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – May 2020
- Risk Management
- 18 June 20
4 min read
Is Diversity Driving Innovation During COVID-19 Crisis?
As companies begin to think and draft new strategies and policies for business continuity, resilience, and workplace management in the “new normal”, they are presented with an opportunity to create and foster a new workplace environment that is free of gender prejudice, biases, or discrimination. Leaders are rethinking the new reality in newer perspectives, while understanding and addressing challenges in diversity and inclusion. Let’s see what made it to the headlines in May 2020, through the GRC Lens.
With the uncertainty of an economic slowdown, the demand for innovation and resilience is increasing at an unprecedented rate. The COVID-19 crisis has taught businesses more about themselves as they try to chase business goals in the new reality. Business leaders are starting to understand that equality is not only the right thing to do, but also the smart thing to do. Businesses, while on the verge of an “economic reset”, are now beginning to rethink their steps to increase diversity, equality, and inclusion.
Business executives around the world are facing the perhaps some of the greatest leadership tests of their careers today. They must navigate through the disruptions, plan for disaster recovery and business continuity, rebuild a business model for the new normal, and ensure they protect the health of their employees and customers.
However, gleaning lessons from the COVID-19 pandemic has shown organizations that the value of science, crisis preparedness, and effective leadership, are not the only major areas of reflection, diversity is also imperative to our survival.
McKinsey’s recent report, “Diversity Wins: How Inclusion Matters”, states that companies with greater gender diversity were 25% more likely to experience above-average profitability compared to their counterparts.”
Unfortunately, only a third of the companies surveyed by McKinsey have achieved real gains in top-team diversity, most have made little or no progress, and some have even gone backward. This means that there is a widening gap between I&D leaders and companies that have yet to embrace diversity.
How COVID-19 is forcing organizations to rethink diversity?
The COVID-19 pandemic proved that an employee’s contribution is not measured by the quantity of time spent at the office desk, but by the quality of their contribution. In an interview with Forbes, SV Nathan, Chief Talent Officer at Deloitte India, said, “Because organisations are more flexible about how roles are executed, women, who earlier felt disenfranchised when they got married or had a child, will feel more empowered.”
It now appears that a lot of conventional gender workplace biases are being put to rest during Covid-19.
“What Covid-19 has done is present an opportunity for business leaders to learn that the only people who are going to excel are the ones that share empathy, compassion and are able to lead teams even when there is a huge amount of uncertainty,” said Johanna Beresford, CEO of In Diverse Company, in conversation with Forbes.
Recently, in an open letter to employees and customers, Microsoft CEO Satya Nadella said that Microsoft would be made more diverse and inclusive. “As a company, we need to look inside, examine our organization, and do better. For us to have the permission to ask the world to change, we must change first. We have to embrace the same speed and mindset that we do in anticipating and building for future technological shifts”, he wrote in the letter.
We need to understand that diversity and inclusion are about more than just gender. “To produce an environment that champions individuality and difference, organizations must inspire and support those previously underrepresented as well as those who have always been represented. This is the only way perceptions change, and a culture of togetherness and inclusivity thrives,” said the World Economic Forum while it also suggested inclusion and women’s participation as two of the 4 important ways to promote diversity within an organization.
Business leaders are now beginning to realize that integrity, along with compassion, ethics and inclusion, is going to drive consumer behaviour and empower brands and performance now and in the years to come. Ajay Banga, CEO of Mastercard, in a conversation with Gaurav Kapoor, COO, MetricStream, sharing his expert opinion at the GRC Summit 2020, said, “You have to lead by setting an example, by making your company a place that your employees want to be a part of.”
Speaking about the Decency Quotient (DQ) he adds, “Make your employees feel that you have a hand on their back, not on their face…Employees don’t want to miss out opportunities that they deserve because they look different or they come from a different background. Decency Quotient has everything to do with how you lead, the practices you follow in your company, the rules you’ve set, and the manner in which you treat people. DQ is what makes people follow you to the end of the world.”
Understanding that collaboration through diversity can bring unprecedented energy and resources to the table is important. In the current scenario, while the world is fighting its battle with unknowns, organizations can leverage diversity to build resilience. Corporate leadership needs to understand the larger consequences and impacts of deprioritizing I&D efforts. This crisis has delivered many crossroads to businesses, using this they can either take measurable steps ahead or go backward.
It is now imperative for leaders to embrace and reinforce diversity and inclusion, as a key driver for organizational culture change and future planning.
Jump to Topic
Related Resources
Blogs
Risk Quantification Heightens Value in Cyber Vigilance
- IT Risk & Cyber Risk
- 22 May 20
4 min read
Introduction
In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.
Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning, and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
Risk Quantification is Now Critical to Prioritize Successful Asset Protection
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps?
A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.
Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.
For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
How to Quantify Risk With a Top-Down, Bottom- Up View
Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.
From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
Risk Quantification Creates Agility and Speed in Remediation
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.
Stay tuned!
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – April 2020
- IT Risk & Cyber Risk
- 21 May 20
3 min read
Has “work-from-home” opened the door to more cyber-attacks?
In the last few months, the COVID-19 pandemic redefined risk management, forced businesses to review their cyber-attack mitigation strategies to understand the gaps in their approach to cybersecurity. Today, the world seems to be gradually re-emerging from the crisis and getting a grip on understanding the aftermath. Globally, businesses are beginning to prepare themselves for their return to work, anticipating the mid- to long-term implications of the crisis and working towards strategically responding to the challenges. While the world gets ready to adapt to the New Normal, let’s find out what made it to the headlines in April, through the GRC lens.
Redefining the remote work environment
In early March, JP Morgan, experimented by allowing 10% of their employees to work from home. A month later, JPMorgan’s Co-president Daniel Pinto, said that staff could work from home on a rotational basis more permanently, in line with the bank’s future vision of work. Recently, tech-giant Facebook also announced that most of its employees will be allowed to work from home through the end of 2020 and Twitter made WFH permanent for all its employees.
After witnessing no significant drop in productivity with the WFH regime, organizations around the world, seem to be getting comfortable with the idea. The new social distancing policies have also got organizations reconsidering their plan to get back to office.
Arguably, COVID-19 proved to be the greatest catalyst for rapid change in workplaces. According to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. It now appears that this could outlast the lockdown. However, this growing shift to virtual ways of working dramatically altered the cyber threat landscape, with a potential for greater risks, this year.
Strengthening the cyber defense
In the beginning of April, Marriott International revealed that a security breach may have exposed the personal information of 5.2 million guests. Soon enough, Cognizant was hit by ‘Maze’ ransomware attack, causing disruptions to some of its clients. Zoom, a heavily-used video-conferencing app, was again compromised by credential stuffing and over 5,00,000 credentials were sold on the dark web. Recently, Unacademy, an India-based online learning platform also suffered a data breach that exposed details of 22 million users.
Phishing increased by 350% since the coronavirus outbreak started (between January to March 2020), according to data gathered and analyzed by Atlas VPN. It goes without saying that remote work inevitably brings a new set of risks and challenges.
While we can’t solely blame the shift from office spaces to work from home for the increase in cyberattacks, organizations need to step up their cyber game to align better to this new way of working.
In a recent virtual conference, hosted by Global Cyber Center of NY, William Altman, the company’s Senior Analyst, said, “Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce…It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”
Looking at the brighter side, we can believe that every crisis comes with opportunities for reinvention and differentiation. Although, no one could have predicted the upheaval caused by the COVID-19 pandemic which disrupted businesses and economies around the globe, it has now become imperative for organizations to pay extra attention to the blind spots in risk management and strengthen their cyber defense.
Jump to Topic
Related Resources
Blogs
In the rush toward tech tools to manage COVID-19, societal and ethical risks must be center stage
- Risk Management
- 12 May 20
6 min read
Introduction
We are in a defining moment. The global coronavirus pandemic has now affected three million people globally, and the world is desperately seeking ways to manage its toll on society. The speed and depth of the pandemic is forcing us to adopt drastic crisis management strategies. Using data-driven technologies, artificial intelligence (AI) and health tech applications are incredibly promising, especially when they are cross-fertilized. But low maturity and insufficient understanding of the ethical and societal impacts of these technologies pose risks to democracy and the right to privacy. We need to better understand the dangers of rushing toward these tech solutions without fully considering the societal and ethical implications.
Many are scrambling to find solutions and adequate responses that can save lives and ease suffering, track the spread of the virus, and find a way forward. While it is tempting to rush toward quick tech solutions, we need to think about the long-term threats and implications of the choices we make. We lack the tools to detect, measure, and govern how these tech solutions for COVID-19 are scaling in broader societal and ethical contexts. And, we can’t lose sight of potential threats to democracy and the right to privacy in deploying AI surveillance tools to fight the pandemic. Citizens need transparency in how their personal data is collected and used, and assurance that tech solutions which use a more privacy-intrusive surveillance approach to track the disease, are not normalized in post-crisis times.
Even before the emergence of the novel coronavirus that causes COVID-19, the field of digital health was a highly fragmented ecosystem. Multiple technologies demonstrate incredible promise and potential in the field of health. Smart phones can provide information via apps that help you learn about or track your own health data. Mobile location data can provide valuable information as to how a disease spreads, and location information and social media can be used for contact tracing. AI can help identify drugs that can cure or predict a disease, indicate the effectiveness of diagnosis, or track genetic data, similar to big data. Telemedicine enables doctor-patient consultations anywhere in the world. Blockchain (a growing list of records, called blocks, that are linked using cryptography) will help us keep track of medical records, supply chains, and payments. Along with these technologies’ promise, however, is the allure of data as the new gold which everyone wants to monetize. For example, in digital health, insurance companies are using data-driven technologies and AI without sufficiently considering and understanding ethical consequences. Furthermore, the tech giants are set up to maximize their profits and governments are set to act bold and fast.
The incentives to pursue these solutions clash with public skepticism and concerns about privacy protections. Four out of five Americans are worried that the pandemic will encourage government surveillance, according to a just-released survey from CyberNews. The survey also revealed 79 percent of Americans were either “worried” or “very worried” that any intrusive tracking measures enacted by the government would extend long after the coronavirus is defeated. Only 27 percent of those surveyed would give an app permission to track their location, and 65 percent said they would disapprove of the government collecting their data or using facial recognition to track their whereabouts.
Lack of governance and transparency will surely lead to an erosion of trust. Companies’ rush to develop technologies to track coronavirus infections is outpacing citizens’ willingness to use them. About half of Americans with smartphones say they’re probably or definitely unwilling to download apps being developed by Google and Apple to alert those nearby they came into contact with someone who is infected, according to a Washington Post-University of Maryland poll. That’s primarily because they don’t trust the tech companies to treat their data securely and privately.
We need to find ways to balance smart solutions with a surveillance economy. We must consider through an ethical and societal lens who is benefitting – it may not always be the patient, the nurse or the doctor. Being thoughtful about the potential ramifications is especially urgent with little to no supporting policy or regulatory frameworks. We need to be careful not to act impulsively and regret it later.
There are ways to approach this ethical dilemma responsibly. For example, researchers at Lund University in Sweden have launched an app (originally developed by doctors in the UK) to help map the spread of infection and increase knowledge of the coronavirus. It is called the COVID Symptom Tracker and it makes it possible for the public to report symptoms and thereby provide insights into the national health status. The free app is voluntary, does not collect personal data and the user’s location is based only on the first two digits of the postal code to protect the user’s identity. No GPS data is collected and the app does not in any way attempt to trace the user’s movements. Further, it is used for research, not commercial purposes.
Another example is Swedish telco company Telia Company, providing mobility and data insights to cities, with anonymization features designed to protect citizen privacy. The solution can track where the disease is moving, but it is not privacy intrusive as the data is anonymized and aggregated and does not identify individuals.
So, what is the best way to use tech to fight COVID-19? There is no panacea, but these recommendations can be helpful in addressing this dilemma going forward.
- Despite the obvious risks, like privacy intrusion, bias, and discrimination, companies and other developers should take active measures to protect and preserve privacy and should use and manage tools wisely.
- Companies should be transparent and publicly state how they are – and aren’t –using the data they collect as part of their pandemic response. A higher level of transparency is a growing expectation from employees and consumers alike. Recent Digital advertising trends survey by Choozle.com found that 89 percent of consumers wish companies would take additional steps to protect their data. Governments should act swiftly to make these technologies available but ensure appropriate frameworks and compliance tools are in place to prevent misuse or overuse of data.
Companies should explore methods and tools which can help to identify and characterize data-driven risks. AISC and MetricStream have launched an AI Sustainability risk scanning self-assessment tool which does just this.
For more information about AISC and MetricStream’s partnership, and how we jointly offer tools to detect data-driven risks, visit our website.
About the author:
Elaine Grunewald is an expert in the technology sector and effects of digitalization, as well as the global sustainability and development arena, where she has had leading positions and roles, including Chief Sustainability & Public Affairs Officer at Ericsson. Today she is also a Board member of SWECO AB and the Whitaker Peace and Development Initiative. Elaine has worked with digital health initiatives for over ten years. From implementation projects in Africa exploring the most basic use of mobile phones for Community Health Workers to collecting health data in rurally impoverished villages, to using cell phone data to track the spread of Ebola in West Africa, to more recent industry and policy initiatives such as the Broadband Commission for Sustainable Development and the Digital Health Initiative.
Anna Felländer is one of Sweden’s leading experts on the effect of digitalization on organizations, society, and the economy. She recently had the role as Chief and Digital Economist at Swedbank and has spent 10 years working for the Swedish government. She has been affiliated to the Royal Institute of Technology, and has had advisory roles in government, the digital start-up scene, and large organizations focusing on Artificial Intelligence and Ethics – including the Minister of Digitalization. Anna has served in the Swedish Ministry of Finance and Prime Minister’s Office in the Crisis Management Coordination Secretariat during several global and national crises and has been an advisor to the Minister of Digitalization in Sweden.
Both Anna and Elaine have deep knowledge and experience from industry, academia, and policy on the impact of digitalization on society. They are the founders of the AI Sustainability Center. Their full bios are available online at www.aisustainability.org
See the AISC Risk Scanning Offering
See the AISC Risk Scanning demo video
Try our the AISC Mini Risk scanning survey
Jump to Topic
Related Resources
Blogs
How to Create a Robust Business Continuity Plan
- Risk Management
- 11 May 20
4 min read
Introduction
The sudden outbreak of the ‘black swan’ event COVID-19 is prompting most business leaders to brace up for the toughest phase in their careers. The biggest challenge facing them right now is business continuity. They are revisiting, testing, and reworking their business continuity plans to proactively figure out the best-suited approach for their unique situations. The key here is the speed of response to a situation in these uncertain times. Hence it is imperative to have 360 degrees agility assessment of resources, systems, policies, procedures and capacities in hand to mitigate risks.
Your business continuity plan should be able to mitigate the adverse impact on critical assets, have guidance to bounce back after initial disruption quickly, have the ability to launch new processes specific to the particular crisis i.e elements defined which can be quickly assembled and customized to take care of that specific situation.
Below is a rundown of various factors to watch out for and skillfully navigate the impact of the crisis that remains for a considerable time, even after it is over.
Here are key steps to build the plan
- Define purpose and objectives clearly
- Build accountability for implementing the plan
- Gather input – risk matrix and risk scores
- Assess the risk of potential consequences on functions and operations
- Ensure they are included in the risk register
- Put measures in place to ensure the safety and security of employees, assets, and operations
- Activate the plan
- Monitor, up-date as needed
If you have a comprehensive corporate risk management policy, and tool, its principles still hold good. If your tool facilitates you to identify, assess risks, and develop the preparedness and response actions to the identified risks, escalates them to the c-suite, and monitors all the levels, you can do the planning under the corporate risk management policy. However, understanding the process greatly helps build a robust plan.
- Define your purpose and objectives for the business continuity plan clearly
Your goal can be very focused on increasing the company’s resilience in case of potential disruptions. After defining the purpose, enlist your key objectives of the plan in clear terms. Elements may include:
- To ensure continuity of critical business operations and IT operation essential for conducting business during the crisis
- To minimize the disruption of critical operations to a near-zero level with a resilient business continuity strategy and framework while meeting regulatory requirements
While executing each of the following steps of the business continuity planning process, make sure to document them. They can be verified and revised before releasing the final plan.
2. Build accountability for implementing the plan
While the ultimate responsibility may rest with the board, accountabilities for management and execution must be defined. A senior executive accountable must:
- help employees to understand and become familiar with the plan so that they can effectively carry out their roles when the plan is ready.
- ensure that the plan is maintained, reviewed, tested, and revised regularly
- approve and signoff off every time the revisions or updates are made
BCP Roles
3. Gather inputs, Identify and score risks
- To start planning, invite the head of each function including representatives from operations, supply chain function, human resources, administration, IT, and communication, security, and other departments of your business.
- Use a risk matrix as shown below to identify and record key risks. In the same matrix, record the potential consequences on staff, operations, assets, and facilities. Obtain the risk levels by defining the impact of the characteristics and likelihood of occurrence.
Using the risk scoring table, determine the risk criticality levels. These scores will allow you to prioritize addressing of risks.
4. Assess their potential consequences on functions and operations
Once you have scored the risks, classify which risk actions you need to start, and which risk actions are already in effect. For those risk actions already effective, check and ensure if you need to bolster or improve them. Consider the following examples:
- During this time of COVID –19, banks may have to make adjustments in operating models and make swift innovations due to the misaligned revenues and cost. Also, there is a huge change in customer service preferences. Customers are increasingly looking to run their financial life through apps and online banking. And so, banks are expected to act swiftly to increase awareness and take other response actions.
- A retail store that focused on offline sales might choose to increase the focus on online sales.
5. Then ensure that the critical risks and risk responses are included in the risk register
This step mainly will help in budgeting and finance allocation.
6. Put measures in place for the safety and security of employees, facilities, staff, and operations
Examples include:
- Policies and SOPs for remote working
- Policies and SOPs the safety and protection of employees of some essential roles that need to be conducted from an office or on location
- Cancellation of business trips, meetings and events and the arrangements for virtual meetings
- A taskforce to continuously assess the COVID-19 situation and a clear command and control matrix, covering all functions with a needed backup
- Engagement with the third parties and partners who support to strengthen the continuity of your operations further and minimize the impact
- SOPs for communicating emergencies
- Facility specific security plans
- Asset protection policies – ex. Inventories, information technology resources, etc.
7. Activate the plan
Use risk assessment and possible scenarios as triggers for activation or deactivation of the plan.
8. Monitor, up-date as needed
Monitor and regularly update the plan according to the evolving risks and needs.
Apart from the plan when all comes to normal situation people expect businesses to be more aware of social responsibilities and particularly during pandemic situations how the company is aligned with environment, health and safety-related activities, that will play a big role in brand building and hence it needs to be well thought out and documented.
Here’s to your business continuity planning success!
Jump to Topic
Related Resources
Blogs
COVID-19: Working From Home Confidently and Competently for Business Continuity
- Risk Management
- 07 May 20
4 min read
Introduction
For many of us our world careened off the road suddenly as city after city and state after state implemented some version of “Stay at home” directives affecting over 90% of the U.S. Some industries were already heavily into the work-from-home mode while others were moving in that direction. Whatever your situation, most of us are now ensconced in the guest bedroom, corner of the kitchen, basement, or garage, laboring at our computers, trying to balance home, family, and work life. We decide whether to risk a trip to the supermarket or call up a food delivery service, whether to mask-up for a walk around the neighborhood or climb on that stationary bike for one more ride.
What credentials do I have to give you advice? In 1989, the company I worked for sent me to another country once a month to work. They outfitted me with a “portable” computer, encased in a suitcase, that went aboard with checked luggage. When I set it up in the corporate apartment, I plugged the handset from the rotary phone into the apparatus to communicate with the mainframe. Since starting my consulting business in 1995, I’ve spent about half the time in a home office working with clients holding online meetings and training sessions.
Whether you’ve worked from home for years or just started, here are basic guidelines to help you through this stint or prepare you for a permanent workplace change.
Optimize your home office
Carve out your workspace and have everything you need: technology, connectivity, security, and capacity. If your company did not supply you a printer/copier/scanner, purchase one. Have a shredder to minimize paper clutter and assure security. Without these, you will not be as efficient as you need to be. If you have a permanent place to work, organize it for your preferred way of working, neat or messy. If you’re working on the kitchen table organize your equipment and supplies for efficient set up and break down. Use a rolling cart, temporary shelves or plastic storage bins. Consider comfort over style, convenience over aesthetics.
Social distance does not mean social isolation
Stay in regular contact with your colleagues and friends. Begin every online meeting with a few basic questions: How are you doing? How is your family? What’s your biggest challenge? How are you coping with it? How can I help? What’s your biggest discovery to help your teammates? This is more important than the business on your meeting agenda. Spend time so everyone can share what is happening. In the “agile” approach implemented in many organizations, the morning meeting is a staple where people tell what they were working on and where they need help. Modify this to address the human side of your “human resources.” Everyone’s stressed, frustrated, a little stir crazy, and dealing with a new set of issues on top or the what’s required for work. People are reporting those few minutes of socializing are a ray of sunshine. This is no time to ignore our human need for human interaction.
PLAN
Plan is not a four-letter word. Even if team and individual planning were not highly structured before, creating and executing plans is the most successful strategy for working remotely. Base your plan on your team and company mission. What are the results you need over the coming period to fulfill your mission? This coincides with our psychological need for purpose. Put together Action Plans (not To-Do lists) for what each person is responsible for accomplishing to meet each goal. Involve team members as individuals and as a group in figuring out HOW to get the job done. This is a time to innovate and create, one of the benefits of disruption. Use Deepak Chopra’s insight to your advantage that “all great changes are preceded by chaos.” You will be surprised at the hidden talent in your group. Focus on RESULTS not activity. Look for root causes when things don’t work out and modify your plan.
Be Flexible
Be ready to modify your procedures and rules based on the new reality. Do not expect everyone to be toiling away from 9 to 5. Studies show an 8-hour day has only about 5 hours of productive work because we have meetings, training, sick days, vacation, lunch, breaks, interruptions, and a myriad of legitimate activities. Allow people to do their most important tasks during their peak physiological times and use their low points for administrivia. Flexibility is a necessity. Work with your team to decide when they must be available and when it’s not expected.
There are more ideas, based on experience and research. Decide how to adopt and adapt them to your specific situation. Do not neglect the social needs as you learn to become productive, efficient and effective in this new world, which may be with us for a while. Be aware of what you are learning about yourself, your team, and your organization. Be ready to implement improvements when your return to “normal,” the “new normal,” or permanently changed work environment.
— Rebecca Staton-Reinstein, PhD, President, Advantage Leadership, Inc.
Jump to Topic
Related Resources
Blogs
Risk Management Strategies for Small and Medium Enterprises (SMEs) to Survive in the COVID-19 Economy
- Risk Management
- 14 April 20
6 min read
Introduction
The coronavirus or COVID-19 presents a significant threat to all kinds of business and more to SMEs. Among the many other problems, the moves of the government to contain the public health risk may have caused a sudden fall in demand for your products or services, staff shortage and supply chain disruption.
Your business may be more fragile or cash-strapped due to lowered demand. Nobody knows how long the COVID-19 crisis will last. If the crisis is going to be a prolonged one, either the consumers will consume less or change the way they purchase. Now’s the time to activate a robust action plan to position your business to navigate the COVID–19 crisis and be ready for a rapid recovery when things show positive signs. Your risk management strategies will come in handy to help you sail through the disruption and lift you through the coming hardship.
Here are the key steps to success:
1. IDENTIFY, ASSESS AND MANAGE THE RISKS
he first step is to identify and understand risks which are very unique to your business. The best way to do it is to use the existing risk management principles to make improvements as per your current needs so that you will not only weather the present COVID-19 crisis, but also get back to high performance quickly.
What are the Risks to Identify?
The biggest risk is COVID- 19. Infection to those who may be at risk may include your staff, visitors to your business facility, cleaners, contractors, etc.
Other risks may include disruption due to social distancing, plummeting employee productivity, tensed supply chains, recession, unemployment, investment pull-back and civil unrest.
Apply the principles of Risk Management to identify the risks
If you already have a risk management practice in place, you can use its principles as shown below as ready reckoners, or you can start following the tried and tested practices.
Enterprise Risk Management (ERM): Systematically helps identify, assess and monitor a wide range of risks (e.g. strategic, financial and legal risks) and the need to find mitigation strategies.
Operational risk management (ORM): Provides insights on how to catalog operational risks and associated details in a common risk repository called a risk register, and link risk appetites to business objectives which can enable assessments of risk to calculate inherent and residual risks and help in creating risk mitigation strategies.
Digital Risks: These can occur due to risks associated with enterprise technologies and third parties. During this time of COVID-19 Crises, risks can come even from social engineering scams.
Business continuity management: Covershow to plan and execute a centralized approach to business continuity and disaster recovery (DR) management across organizational functions, to improve response time during critical events, and more.
Internal Audit management: Provides insights onrisks including risk assessments and defines action plans to remediate issues and monitor them to closure.
How to Assess Risks
Steps to follow are:
- Risk identification which follows event identification and precedes risk response
- Develop assessment criteria
- Assess risk interactions
- Prioritize risks as per their probability, vulnerability and speed of onset. You can define these under 4 criteria like high/some/small/very little probability.
The next steps in risk assessment steps include risk analysis, risk evaluation, risk communication, and risk response.
Risk assessment helps in reducing operational risks, improving safety and performance, and achieving objectives.
2. DEVELOP MITIGATION STRATEGIES
Depending on your industry, company size, location, and other factors, you can make a wide range of preparations. Your risk response should be driven by the decision of risk acceptance, reduction, sharing, avoidance or complete elimination of each risk.
Below are some common areas that will help you plan your risk mitigation:
- You can consider moving your budget from fixed cost to variable spending. Reconsider the rent on office space as more employees will be working remotely.
- Cash is king for businesses – it is wise to cut down unnecessary spending or expansion plans to conserve the cash.
- While focusing on the operational elements of risk management such as taking care of people, having them work from home, it is also critical to think from the viewpoint of compliance by publishing clear HR policies, data security policies, confidentiality and other policies.
- You may choose to shift toward the localization of your supply chain so that you can be immune to the increasing protectionism and risk aversion due to a recessionary climate.
- Digitization: More than ever before, digitization is getting a real push, and everybody is on a fast forward mode to experiment with digital channels into every aspect of their business. But this calls for more investment in the cloud, data, cybersecurity, and digital risk management.
- Increase supply chain resilience: While it is good to localize supply chains, it is required to build capabilities in your supply chain to respond to unexpected events quickly or return to the earlier supply chain as soon as possible or innovate to get to a better state.
- Be sure to connect and maintain repositories of all risk mitigation activities, procedures, and controls in one place to make it easily accessible when needed.
- Put internal controls in place to mitigate risks. For example, in the context of COVID-19, simple controls may include hand washing, cleaning, social distancing, etc.
3. DO REMOTE AUDITING
After you have put all risk mitigation strategies and controls in place, you need to do auditing to check if all is working well. But during this restrictive time, you will have to adapt to remote auditing as it is a quick and efficient way to assess and minimize errors, and enable significant savings on time and effort. The use of audit functionalities on smart devices has been greatly transforming the changing audit landscape.
- Replicate face-to-face working environments with virtual environments including phones, computers, and services.
- Capture organizational communication processes when defining remote auditing
- Virtual storage of records (shared or isolated)
- Broadcast messages – video conferencing, teleconferencing, email or group meetings
- Prepare well before virtual meetings to ensure every dialogue for decision making is covered and before concluding the meeting, clarify action items, owners, and deadlines.
- Have a central location that contains an up-to-date contact list with email, phone numbers with work time or work shifts.
- Set up online audit scheduling, format, and checklist.
- Use desktop sharing features extensively as necessary for reviewing records, procedures, documents, audit trails, procedure reviews, recording meetings, video conferencing, and audio conferencing.
- Use Asynchronous communication such as SharePoint offices.
4. PUT A BUSINESS CONTINUITY AND RECOVERY STRATEGY IN PLACE
Whether you already have a business continuity plan or are putting a plan in place now, consider addressing COVID-19 in the plan. A continuity plan calls out the critical and time sensitive applications, vital records, processes, and functions to be maintained, as well as the personnel and procedures necessary to do so, while the entity is being recovered. It needs to have six major components: data critical analysis and data back-up plan ( DCA & DBP ), Business Continuity Plan (BCP), Emergency Response Plan (ERP), Contingency Testing Plan (CTP) and Disaster Response Plan (DRP)
Here are a few important steps to follow while creating a plan:
- Find and analyze Business Continuity Strategy requirements and document them.
- Review issues related to business recovery, technology and non-tech recovery issues for each support service.
- Identify, analyze, and document alternative recovery strategies.
- Compare internal and external solutions assessments of risk associated with each optional recovery strategy.
- Assess suitability of alternative strategies against the results of a business impact analysis.
- Effectively analyze business needs criteria, and the objective of planning and evaluation method.
- Senior management must be aware of the Cost/Benefit Analysis of Recovery Strategies and recommendations from experts.
Despite the uncertain times we’re living in right now, with a risk management and business continuity plan in place, you won’t miss a beat. One thing that’s special about businesses that have a robust risk management plan is that they will get through the difficult COVID-19 crisis, will have a V-shaped recovery curve and bounce back faster than others.
Stay Safe & Stay Alert
Jump to Topic
