Posted on: April 29, 2020 by
“We are living in a global public health crisis moving at a speed and scale never witnessed by living generations … No matter how this plays out, life will forever look different for all of us” – Cornelia Griggs; mother, writer, and pediatric surgery fellow
As we continue to navigate through the response to the COVID-19 pandemic, strategies addressing the restoration and resumption of operations in the “new normal” are being developed. For governance, risk, and compliance (GRC) programs, this will require re-tooling resilience strategies and risk management approaches that have traditionally seemed effective. New strategies, methodologies, roles, and assessments will need to be developed to anticipate and respond to environmental and pandemic events in the future.
“People First” Focus
The primary focus for all organizations confronting this crisis has been people. As organizations rebound from the pandemic, people should be the first priority. A focus on “people first” has two aspects. Most organizations have established robust and frequent communications with all employees; this must be continued to ensure that employees receive all the information needed to personally plan and prepare for a return to their normal place of work. The other consideration in planning for resumption of operations must include detailed steps to ensure that employees are healthy before returning and coming back to a safe work environment.
Risk management programs must now address the challenges organizations face with a more mobile or remote workforce and potentially a “stay at home” economy. Incorporating new risks and controls into a GRC program and developing greater organizational resiliency will involve considerable effort.
Governance and Risk Management
Re-examining and establishing the governance of operations in the “new normal” must also become a top priority for GRC programs and organizational resilience. Governance will need to expand to include external factors such as: customer factors, competitive factors, economic factors, and geo-political factors. Organizations must consider the entirety of their ecosystem. Executive leadership must enable more frequent, data-driven communications from their risk assessment software and operational management teams to ensure compliance with policies enacted for organizational resilience. This is particularly important for larger organizations with hierarchical challenges or “silos” that have historically prevented aggregation of information and limited informed planning and decision-making. New roles will become necessary to enable a clear lens into information that is specific to ecosystem disruptions, which have traditionally been considered beyond the scope of the program. A Chief Resiliency Officer responsible for leading the response and recovery of an organization from events like COVID-19 should be established, as this role that ensures a top down dissemination of responsibility throughout the organization, and a bottoms up availability of current and accurate data to the executive team. As responsibilities are disseminated, each role must be given the authority and the ability to make informed decisions at the local level related to personnel and operating assets. This new program approach will result in operational resiliency and effective risk management inclusive of environmental and pandemic disruptions.
There should be an urgent effort to enhance an organization’s current risk assessment schedule, prioritizing operational risk assessments focused on a taxonomy of integrated risks and controls developed specifically for environmental and pandemic threats and vulnerabilities. Different disruption scenarios should be developed, in coordination with resilience strategies, and designed to anticipate and react to risks resulting from the broad spectrum of external factors. The IT risk assessment should first focus on critical business operations. The human, financial, technological, and operational implications within each disruption scenario should be fully understood.
Supply Chain/Service Chain
The pandemic has stretched organizations and their partners to their limits and created havoc within supply chains. Organizations must develop realistic views of their supply chain, and its single points of failure where disruptions are most likely to impact them and their customers. The information foundation supporting their supply chain dependency mapping should be built at the service level and linked to processes for each product/service provided by an external party. This data model will enable accurate reporting on gaps between requirements of the organization and each external party’s capabilities to meet those requirements. It is critical that organizations get an accurate representation of the inputs from suppliers and then identify alternate sources in order to meet delivery obligations. Because we are human beings, it will be our personal tendency, and therefore our collective motivation, to be optimistic in the ability to deliver, so efforts to get a realistic picture will be paramount. Simultaneously, new vendor risk strategies must include realistic communications, including accurate data to their customers without false promise of service delivery.
Reputation risk will finally take its place amongst the top risk categories alongside operational, financial, and strategic risk. Additionally, a new set of risk statements must capture the challenges organizations have experienced in communicating with personnel during the pandemic. A focus on external communication is imperative. Proactive communications measures to reassure all customers, stakeholders, community members, and the general public should be deployed. External audiences want to know what happened, what mitigation efforts were put in place, and how the organization can assure it will be able to deliver in line with expectations. By demonstrating that the organization is “open for business,” it reassures employees, communities, and investors of its viability.
Specific to financial institutions, the Federal Reserve Board has provided additional information to organizations on how its regulatory supervision would be modified. Moving forward, the FRB has highlighted the following changes:
- Large banks should have submitted their capital plans, developed as part of the Board’s Comprehensive Capital Analysis and Review. These plans will be used to monitor how firms are managing capital levels in the current environment
- Additional time will be made available in an effort to encourage organizations to resolve non-critical existing supervisory findings as well as re-directing focus on heightened risks coming out of this current environment
- The Federal Reserve will introduce a new monitoring and outreach program designed to aid financial institutions of all sizes in better understanding the challenges and risks of the current environment
- Towards this end, the Federal Reserve will temporarily reduce its examination activities, with the greatest reduction in activities occurring at the smallest banks
“Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing.” – Denis Waitley, author of the best-selling audio series, “The Psychology of Winning”