We're in a global crisis that's unlike anything we've seen or could have ever expected. All organizations are facing an unprecedented level of risk that requires timely action.
This is a time of rapid change. Drastic ad hoc actions are being made to address challenges to operations, safety, supply chains, technology, data security, communications, and cash flow management. Ad hoc strategic actions pose major risks and the evaluation of risk with each action is critical.
The four key words to keep in mind to manage risk during this crisis are mitigate, transfer, avoid, and accept. As you evaluate action plans, consider the risks and whether there are protocols in place to mitigate risks with controls; transfer risks through insurance, third-party suppliers, or government funding; avoid risks by temporarily shutting down operations, physical distancing, or modification of work hours; or accept risks where no other options exist.
We've outlined some questions each organization should consider and recommended practical actions your organization can take to manage the risks you have control over.
- Has your organization conducted a thorough risk assessment of all critical business functions to assess the level of possible interruption and formulate measures to mitigate potential impacts, including operational, financial, reputational, and compliance risks?
- Consider the impact of risks on a daily basis to evaluate your operational and contingency plans in the event of a 30-day, 60-day, and even 90-day quarantine. Contingency planning is a critical risk mitigation tactic.
- Mitigate risk by conducting scenario analyses for different possible scenarios and outcomes with different approaches and strategies.
- Engage with your bank, secure new lines of credit, evaluate newly available government funding, and have conversations with Export Development Canada (EDC) or the Business Development Bank of Canada (BDC).
- Due to the increase in remote connectivity, has your business reviewed security protocols to all company systems and data to ensure secure and private transmission and storage of organizational and client information?
- Talk to your cloud, network, and other IT service providers to ensure that your system risks related to security, availability, confidentiality, data integrity, and privacy are covered and that these risks are managed by your service providers.
- Map out the flow and transmission of data, identify risk areas, and implement mitigating controls to protect the security and privacy of organizational and client data.
- Evaluate the third-party control considerations that might change in importance given your modified working environment.
- Don't allow employees to use personal computers, personal emails, and non-encrypted mobile phones for business purposes.
- Review security protocols and settings to ensure remote connections and individual access to systems and data are secured and operating effectively.
- Review the capabilities of your IT infrastructure and security settings to support employees telecommuting and the secure transmission of data and information, both corporate and personal.
- Monitor the use of unauthorized computers and their access to the network.
- Keep accurate inventory and location of all IT assets.
- Have you conducted a cyber-diagnostic assessment to identify potential weaknesses in infrastructure? Do you have a cyber-breach incident response plan that allows you to identify, contain, eradicate, and quickly recover from cyber attacks?
- Conduct a cyber-risk assessment in order to mitigate your risk of a breach during this time.
- Ensure that the risk level is identified as maximum by your cybersecurity and IT team and that they are at full engagement during this time in order to mitigate risk of cyber breaches or attacks.
- Raise awareness of cyber risk to your staff, ensure that they are operating with cyber-security top of mind, and that they are avoiding inappropriate risks.
- Has your organization reviewed its enterprise-wide risk management capabilities to determine whether there are adequate resources (internally or externally) to help in assessing and mitigating risk? If internal risk management capabilities don't exist or are insufficient, has your organization considered involving second or third line of defence (i.e., risk management and internal audit professionals) to assist?
- Now is the time to mitigate risks posed by ad hoc processes and to have risk management professionals (internal and external) review strategies, plans, processes and activities to ensure that the risk associated is being managed.
- Has your organization assessed the impacts of COVID-19 on its control structure, processes, and procedures, while taking into consideration emerging fraud areas?
- Have a plan to manage key person dependencies. Identify which of your staff are critical, identify cross-trained individuals, and ensure that there are plans in place to engage the staff in the event a key person becomes unavailable to work.
- Have plans to manage segregation of duties in a remote environment. This is going to be very difficult for many organizations. You will need to develop new and enhanced monitoring activities over key accounts, payments, and systems. Senior leaders need to take a closer look at transactions and activities than in normal times.
- Communication is critical. Verbal supersedes electronic communication to ensure staff have a clear understanding of what's required of them during this critical time.
BDO can help
The current situation is constantly changing and many businesses were caught unprepared. Our team of professionals have helped a number of organizations adapt and pivot in a difficult economic environment. Contact our team to learn how we can help your business.