RA Explained: Part II

The Age of COVID

As I completed my last blog in which I recalled a story about the importance of why we have Risk Assessments, I began to think about COVID and the global economic shutdown.  Very few people outside the medical field would have ever expected or contemplated putting infectious disease into a risk assessment.  Of course, we as risk professionals have all planned for disasters including extreme weather, partial shutdown, and disaster recovery for the servers going offline.  We have planned backup contingencies, such as having a backup site for the servers, or hot or cold sites for our key staff to work out of, in case we could not get to the office. But very few of our plans contemplated that an infectious disease would shut down the nation and quarantine us for months.  This is the new world we find ourselves in and we need to prepare accordingly.

Being Prepared

A few friends of mine in the IT field told me about how their office was not prepared for COVID and the shutdown. They were not prepared to give all staff a laptop and work remotely. Only the executive level staff previously had laptops. The amount of increased traffic from the virtual workload caused servers to become overloaded and shut down.

Like most of us, they figured they would spend a few hours firing up the hot site and work would return as normal. COVID has changed that type of thinking.  As risk professionals, we now must take into consideration that COVID, or something like it, will hit again soon. We will need to add this reoccurring risk to our best practices and incorporate it into our risk assessments and work with the business to remediate and lower the risk.  

Incorporating COVID into the Risk Assessment

How should risk professionals, compliance professionals and internal audit professionals incorporate the risk of COVID or infectious diseases into our risk assessments? First, learn from the real-life examples you just experienced in the first half of 2020.  Take a hard look at your team, your department, your organization as a whole.  Spend time getting into the details.  Don’t just focus on what went wrong, but spend time on what went right as well, as those are wins into which you can build. In your review / findings report be sure to call out those functions that did well.  It is important to recognize the staff who exceeded expectations during this time of uncertainty.  

 “Recognition is not a scarce resource. You can’t use it up or run out of it.” ~ Susan M. Heathfield

For the tasks that did not go as smoothly, take a hard look at why things went wrong. Don’t blame people. Identifying and remediating risk is not about blame, but about finding solutions.  Below are a few best practices I like to use when helping the business come to terms with any risk identified and how to get the train back on the tracks.

Best Practices in Four Steps

1. First – Education
   You must educate the business function you are working with on what the risk assessment is and why you identified it as a risk. Help them to understand your risk methodology, scoring and why you ranked the risk as you did.  Allow them to counter your ranking. Listen to them and if they present a good factual argument, consider changing your ranking.  Risk professionals are not tyrants that are looking for the “ah ha, got ya” moment. We support the business. Our job is to make the business stronger, so it can succeed at its core mission.
2. Second – Support
   Once the risk level has been agreed upon, it is now time to get to work to reduce the risk. While some risk professionals might say, my work is done at this stage and leave the business to fix the problem on their own, that is not how I like to work.  I want to support the business function in their remediation efforts.  I feel it is my role to provide support to the business to help reduce future risk.  An example of this is recording the issue in a log and tracking the progress. Schedule ongoing status update meetings for the business, attend those update meetings, and offer guidance or advice. Most of all, keep senior management informed of the status of each risk and where it is in the remediation process. A well-informed management team can help “grease the wheels” when needed.
3. Third – Update the Risk Assessment
   It is important that you regularly update the risk assessment with all the newly identified risks.  For small risk, annually is fine. But for larger risk, such as the shutdown that COVID created, it would be a good idea to update your risk assessment sooner, rather than later, since the risk that COVID and the shutdown created are still very fresh in your memory.
4. Fourth – Share the Knowledge
   In addition to updating the risk assessment, ensure that the business functions are also updated on what new risks have been added.  They need to be able to prepare to address the risk or at least plan for them in the future.  You do not want to be “that” risk assessment professional that brings an updated risk assessment to a meeting, but management does not know that new risks have been added. Trust me, the meeting will not go well.  No one likes being surprised, especially during a risk assessment meeting. 

Final Thoughts

The past few months have been stressful on staff and management alike.  COVID took most businesses by surprise. No one was prepared to fully go remote with little warning and for an unknown period of time. While remote work may now seem to be the way of the future, most business were not considering it at the end of 2019, and are now just coming to terms with how to manage staff (and risk) remotely. While a lot of staff might cheer this concept for personal reasons (less commute time, more comfortable work environment, etc.) as risk professionals it opens a Pandora’s box of new risk we need to consider. Our work with identifying and risk ranking what COVID has created has only begun. 

“The future has many names: For the weak, it means the unattainable. For the fearful, it means the unknown. For the courageous, it means opportunity. ~ Victor Hugo

I would love to hear your thoughts and stories about how COVID has impacted your risk department. Please reach out to me via LinkedIn.

Chris Gunias
HDCS, Inc. |  Chief Compliance Officer