How are risks for organizations being changed by the global pandemic, and how should risk management processes change in response? To truly manage and monitor risks during this pandemic, the answer is more than just working from home.
Organizations are facing new and changing risks both internally and externally.
Within the organization, risks are developing as people, infrastructure, and financial environments are changing due to the disruptive nature of Covid-19. Some of the risk areas to review and consider are:
- Remote Access/Remote Teams
- Critical resource availability
- Policies and procedures for:
- Data Privacy
- Personal health and safety (social distancing)
- Physical access
- Empty/low occupancy areas
- Remote IT access
- Multi-Factor Authentication
- Remote access availability
- Business Continuity and Disaster Continuity
- Significant post-balance-sheet events to be reported
- Disclosure requirements
- Going concern requirements
Not only are organizations facing these internal challenges, but they should also look to third parties and their criticality as well as developing contingency plans with them. Therefore organizations should consider looking beyond their organization to their ecosystem to fully understand and manage risks.
How does the risk management process change?
A typical risk management process consists of the following components:
- Identify and Assess Risks
- Mitigate Risks
- Monitor the risks
- Identify and manage Findings/Exceptions and the remediation process
- Management information including Key Risk Indicators (KRI) and Key Performance Indicators (KPI)
This process does not have to change, but with this global pandemic, the process will have to extend to include the ecosystem in which the organization operates in. Third Party Risk Management is no longer a questionnaire that is sent out but will require a collaborative, proactive risk management approach upstream and downstream. This means organizations will need to move from traditional Integrated Risk Management to a more holistic process – Transformative Risk Management.
So what is next?
Some areas potential activities to start with:
- Internal assessment questionnaires
- Compliance checklists
- Task checklists will need to be created
- Adjust Third Party risk assessments
- Policies/procedures will also need to be updated and adjusted