An unexpected arrival
On March 18, 2020, the Salt Lake City area experienced a 5.7 magnitude earthquake just after 7:00 am. I was sitting up in bed and my house was still perfectly silent when I could literally hear the earthquake coming and start to violently shake the house. It was scary and I totally forgot all my earthquake training and didn’t duck and cover. The thing is, however, it was only a medium-sized earthquake and lasted for less than 20 seconds! It was over as quickly as it started. It seems that COVID-19 has also come to shake our homes and businesses but for a longer period and have us think, are we prepared?
The effects of COVID-19 on our work activities is cause for a reassessment of risk for every organization in order to develop action plans and efficiently and effectively deploy finite resources and staff. The disruption to our businesses has been unforeseen, the changes to how and where work is performed have been swift but, in some respects, “The show must go on!” I have seen a remarkable response from businesses to examine what needs to get done and focus resources on the absolute critical tasks. While we have learned that there are interpretations as to how to proceed with business operations, we felt it was important to consider the overall impact on risk for an organization now and in the coming months.
Many of our clients undertake annual or quarterly risk assessments to keep apprised of what is happening in the business and what changes have occurred that might impact specific enterprise risks. However, the velocity of risk in certain areas has increased with work from home requirements and relaxed system and process access controls to employees and contractors. Employees are closely monitoring the tone from their executives and these will be the days employees remember – how they were treated. As some companies are forced to make difficult staffing decisions, the loss of knowledge and skills are exiting the “building” that will require additional effort for remaining employees to relearn and master. There are increased risks for fraud, cybersecurity threats and business continuity. But these are just a few examples of how the risk landscape has changed in the past 45 days. We have compiled a list of risks for consideration as you think about where your risks have changed. These risks are intended to start a conversation that leads to the smart deployment of resources and actions because, the show must go on.
Risks for consideration
- Business continuity – COVID-19 has increased the awareness of disaster recovery and need for business continuity.
- Data reliability – data is the driver for business decisions and the reliability of the data is critical.
- Technology change / systems – technology changeover plans and timely execution continue to be key issues to examine.
- Cybersecurity – security breaches are top of mind for boards and executives due to, increased threat activities, the impact on the business and loss of trust from shareholders.
- Fraud risk – COVID-19 has opened up new opportunities for fraud with employees, vendors and contractors gaining access to systems and processes in remote environments.
- Third-party reliance – third parties provide many critical roles that require proper setup, monitoring and regular inspection.
- Regulatory compliance – effective global monitoring of compliance and regulatory risks and comparison to company practices is needed.
- Tone and culture preservation – tone from top executives and how employees view their role are changing and company culture and values need to be preserved.
- Knowledge sharing – with an economic downturn, there are expectations from management to make do with who and what they have. Processes to safeguard employee knowledge and transfer are critical.
Justin Humphreys is the Internal Audit service line lead for The Cadence Group and has extensive professional and client service experience in internal audit, SOX, enterprise risk, investigations and project management. Through his client service and industry perspective, Justin has the ability to understand issues and risks from the perspective of a client and develop solutions that provide immediate benefit and minimize disruption.