This is the first part in a series of articles exploring COVID-19 Key Risks.
Many organisations have requested information and commentary in relation to risk and the impact of the COVID-19 pandemic on organisations, and many are querying which changes they should be making to their risk registers.
The COVID-19 pandemic will change the ways organisations operate in both the short and long term. What is the ‘new normal’ for businesses? What are the key risks for organisations right now? Which areas should organisations focus on in order to maintain high standards of governance, risk management and compliance?
As a result of our engagement with organisations around the country, over the next few weeks, the GRC for Executives Blog will provide organisations with a risk management perspective on the many changes and challenges that organisations face now and into the future in a series of articles.
While we may rate the risks that we will discuss in this series of articles as ‘Key Risks’, new developments and new perspectives should be considered when making changes to your risk register.
Table of Content
- How You Might Use This Content
- Business Continuity Planning
- What Should Organisations Do Now?
- Risks to Add to Your Register
- Action Checklist
- How CompliSpace Can Help
- Tips For Using Your Assurance System
1. Create a Specific Risk Register for the Management of these Risks
The register could be used to focus the organisation’s leadership on these specific risks and on the implementation of controls to manage these risks. Many risk controls may already be in place in the organisation, so it is therefore essential to start by evaluating the effectiveness of the current controls in place to manage each risk. For example, if there is already a fraud and corruption program in place, check whether it is properly addressing staff working from home. After reviewing the effectiveness of the current controls, the next step is to plot the likelihood and consequence to obtain a risk rating. After rating each risk, the organisation’s leaders should consider what additional controls or ‘risk treatments’ may be required. It is a cyclical, continuous improvement process so that once the risk treatments or additional controls are implemented, a further review of the risks and the effectiveness of the risk controls for each risk should be undertaken regularly.
2. Create a Checklist
Create a checklist that can be reviewed by leadership every few months that will focus their discussion and decision making in relation to these issues to assist in identifying problems and finding solutions.
3. Issues Summary and Action Plan Communicated to Staff and the Board
Provide a short summary of the issues related to the risks to alert staff and key stakeholders and increase their awareness of these issues. At the same time, you could also indicate what additional measures are being implemented to address the issues such as an action plan.
There are many events that have the potential to significantly disrupt the normal business functions of an organisation. These events can collectively be referred to as risks to business continuity. The challenge for any organisation is develop a comprehensive business continuity plan (BCP) to support and enable normal business functions to be maintained in the event of the materialisation of a risk to business continuity.
Business continuity planning should involve consideration of both the likelihood and the consequences associated with the many risks that threaten business continuity. Organisations should therefore consider what steps can be taken to reduce the likelihood of a risk to business continuity occurring and, if the risk does materialise, what steps can be taken to reduce the consequences or impacts on business continuity. All of this should be included in a comprehensive business continuity plan (BCP). An organisation’s hard-won reputation can quickly diminish if responses to critical incidents and natural disasters are badly handled and chaotic. A comprehensive BCP is designed to enable a systematic and planned response to any threats to business continuity.
Prior to the COVID-19 pandemic, many organisations already had well developed BCPs and those that didn’t probably wished that they did. However, even organisations with a BCP have found that their BCP did not adequately account for the scale and complexity of the interruption caused by the COVID-19 pandemic– and it’s not over yet. Many BCPs did not identify a global pandemic as a source of business interruption and, even where it was included as a source of interruption, the BCPs often did not foresee what has occurred in relation to the COVID-19 pandemic so far. The COVID-19 pandemic has highlighted that constant effort is required to improve business resilience, and that organisations need strategies, tools and effective people to adapt quickly. For an organisation to have confidence in their BCP they need to ‘stress test’ the BCP. This can be done by using a wide range of ‘what if’ scenarios to determine whether the BCP is actually effective in helping to maintain business continuity.
Organisations also have an opportunity to learn from the COVID-19 pandemic and consider what they might do differently to help maintain business continuity, should the same or similar circumstances arise, or a COVID-19 ‘second wave’ occur. Just because lockdown restrictions are easing does not remove the need for careful ongoing business continuity planning. Ongoing business continuity risks from the COVID-19 pandemic include one or multiple positive tests within the organisation, potential further general periods of lockdown, and the possibility that some businesses may have a substantial period of lockdown if their premises are in a pandemic ‘hotspot’. Consideration should also be given to similar disruptions occurring to supply chains.
Any failure to maintain business continuity can lead to a lack of confidence in the organisation and its leadership which in turn is likely to lead to a loss of business and the loss of good staff. While organisations will generally have retained the support of their key stakeholders while negotiating the initial phase of the COVID-19 pandemic (which seems now to be coming to an end), those same stakeholders are unlikely to continue their support should there be any major mistakes and missteps in relation to any further lockdowns.
Many organisations will have a business continuity risk in their risk registers. The risk should be worded as a failure to have an adequate BCP and could read like this:
Failure to implement and maintain a business continuity plan appropriate to the size, nature and level of complexity of the organisation.
Some organisations are also including ‘pandemic risk’ as a risk in their risk registers, which could read like this:
Failure to have systems, policies, resources, and procedures in place, to substantially avoid major impacts to business continuity and financial viability from a global pandemic that substantially impacts the local population.
- Consider including BCP Risk and Pandemic Risk in your risk register
- Set up ongoing evaluation and reporting of the impact of the COVID-19 pandemic on your operations now and in the future – consider an internal audit of all aspects of your business and use this information to update your BCP
- Track the effectiveness of risk controls and risk treatments for business continuity risks
- Identify what your key suppliers and clients are doing in responding to the COVID-19 pandemic and consider building this into your BCP response
- Incorporate COVID-19 information into your BCP to refine business impact analysis measures for more accurate scenario definition, likelihood and impact on the organisation of the same or similar events
- Determine how often you should be reporting on the various parameters.
CompliSpace is helping organisations of all sizes manage these challenges via our GRC tool (CompliSpace Assurance) and our consulting services. Click here to download a brochure of CompliSpace Assurance. Contact us to request a demo for your organisation. In the next section see some of the ways we are helping our clients.
There are numerous ways to use the CompliSpace Assurance System to help you address business continuity challenges. We've provided a few suggestions below. CompliSpace clients can contact their Consultant for additional help.
- Use tasks and checklists in your CompliSpace Assurance system to bring your BCP and business impact analysis to life
- Set up a Pandemic Risk and BCP Risk on your risk register to track the controls and treatments through tasks
- Review the effectiveness of the current controls for Pandemic Risk and BCP Risk, in light of the COVID-19 pandemic and review your likelihood and consequence ratings for each risk
- Where organisations are using ‘Business Continuity’ as a risk flag, ensure that all risks on your risk registers are reviewed to ensure that all risks that may impact business continuity have been flagged
- Develop a set of ongoing tasks and checklists for both the BCP and Pandemic Risks and ensure that these tasks and checklists are linked to these risks
- Identify and attach your BCP as a risk control strategy for both the BCP and Pandemic risks
- Consider using the risk tolerance functionality to reflect the risk rating your organisation’s leadership team will tolerate if this risk event was to occur again
- Review your risk reporting and ensure that you have set up a report to monitor the risk control tasks and checklists you have set up for each risk. The report will enable the leadership team to determine whether control tasks and checklists are operating to reduce the likelihood and/or impact of each risk. To set this up in CompliSpace Assurance:
- Go to the ‘Reporting’ section
- Choose the built in reports ‘Risk Task Results’ report
- Customise the fields, save the report, bookmark it and subscribe to have it delivered to yours and other full users’ inboxes at a frequency of your choice.
The CompliSpace Assurance tool can help you evaluate the impact of the COVID-19 pandemic on your organisation, looking both internally and externally.
For internal review, CompliSpace Assurance can be used to create a survey to proactively assess the impacts on your staff of the new ways that your organisation is conducting business. This will provide value added feedback to senior management and the board.
For external review, you can monitor your external service providers and contractors by sending them a due diligence checklist to complete. Questions might include whether they expect any disruption to supply chains or substantial changes to business as usual operations. You can set this up in CompliSpace Assurance as a form or checklist.
A CompliSpace Consultant can assist you in identifying, analysing, evaluating, and treating your risks. If you do not have a business continuity, incident management, risk management or crisis plan, or if the ones you do have are not working, it is not too late to seek advice to review, improve, create or implement.