How Internal Auditors and Risk Advisors Can Better Prepare for High-Risk Events
May 27, 2020
In hindsight, what is the likelihood that a pandemic like the coronavirus (COVID-19) would spread to the United States, cause governments to require nationwide business closures, and render millions of Americans unemployed? From a risk standpoint, most historically would assess that likelihood as low.
While the likelihood is low, the impact is tremendously high. It is fair to say that few predicted a pandemic would strike so rapidly, with such high impact to so many people/industries, current states of operations, and business functions.
How can we learn from what is happening, adjust, and develop for the future? A forward minded organization can use this time as period of reflection – assess its current risk environment and determine where to focus efforts to mitigate risks in the case a high-risk event occurs again.
Building the Foundation for High-Risk Event Preparedness
The Impact on Your People
People perform the work to achieve the organization’s objectives. While each department within an organization may have different needs during a high-risk event, employees as a whole are impacted in one way or another.
- Front line employees may have concerns over their health and safety if their job requires them working directly with the public.
- Back office employees, such as finance or procurement, may face increased pressure of managing an influx of emergency requests.
- Various employees have to migrate to different working environments.
The organization should seek to mitigate risks associated with high-stress environments, health and safety concerns, productivity, operational abilities, and morale. Management considerations include:
- Who manages risk/response and how are people communicating risk mitigation plans and strategies?
- Did processes and systems keep people safe and functions operational?
- How did leadership react and respond?
- Should there be a centralized body to manage risk?
- Should an independent department emphasize on low probability/high impact events during risk assessment exercises?
- How can Internal Audit, Enterprise Risk Management, and other risk functions better align and communicate?
Examining the Processes
Processes set the stage for people to perform their duties by defining standards for performance. Processes are defined through organizational policies and explained through standard operating procedures. They provide the structure to make processes repeatable, scalable, and efficient. However, processes may need to change and adapt based on high-risk events. Management considerations include:
- Did the organization have business continuity plans, continuity of operations plans, and/or disaster recovery plans that were documented, tested, and internally known?
- Were key business processes documented, current, communicated, and accessible?
- Was the organization able to adjust strategies and processes to adapt to the current environment?
- Was the organization able to monitor current risks, and identify new risks and develop or monitor controls in the current environment?
- What were lessons learned and how can they be applied to improve business processes going forward?
- How can the organization utilize data captured to change business processes?
Deeper Dive Into Technology
Technology allows and assists the people and processes to operate efficiently, effectively, and in some cases, automatically. As bad as this pandemic has been for the economy and business operations, imagine working without today’s technology which allows us to communicate effectively, virtually collaborate with co-workers and customers, and most importantly, continue to work safely, even if remotely, in the face of a situation that restricts office work. However, changes in operations to work remotely creates risks. Management considerations include:
- Does the organization have telecommuting policies and procedures to ensure appropriate and secure use of information technology assets and company data?
- Does the organization have the appropriate software strategies and solutions to reduce the risk of unauthorized access to data on mobile computing devices?
- Does the organization have the necessary tools to allow employees to collaborate and communicate effectively?
- Do employees have access to the data and systems to execute work tasks?
- Were there challenges identified that need to be addressed to improve telecommuting infrastructure and processes?
Even in the worst-case scenario, effective risk management strategies can allow your organization to identify, prioritize, plan, and respond to potential risk events. These unlikely, but high impact risk events should provide us the opportunity to evaluate the effectiveness of our planning efforts and the impact of our response.
People are the core of an organization. They are the employees who execute the work to achieve the organization’s objectives. People are responsible for making sure the processes and technology operate as intended. Without the people, the other two elements do not work.
Therefore, it is critical to mitigate risks associated with 1) the health and safety of people and 2) people’s ability to plan, react, respond, and learn from high-risk events. Overall, organizations need to challenge themselves to consider employee risk in the face of the current and potential future events.
The following presents considerations to help churn ideas to mitigate risk; from readiness (what did you do have in place?), to response (what did you do?), and then to recovery (what are you planning to do next?).
To consider: Risk is everywhere. Organizations have a variety of risk appetites, or risk vs. reward mentalities, to address risk – from risk adverse to risk acceptance. As a result, each organization may have a different reaction to the following.
Readiness represents the organization’s position before a high-risk event, and leading up to that event. Multiple layers of resource/people considerations can be evaluated to understand how the organization prepares itself. Readiness criteria should not be “cookie-cutter” or “check-the-box”. They should be designed to suit the organization and its risk appetite.
- Who was responsible to understand and manage risk events?
- Did the organization have an established resource center/group designated to communicate critical information, including high-risk events, to employees?
- Did the organization have a group of people/person whose role is to assess risk? For instance:
- Chief Risk Officer
- Internal Audit Resources/Function
- Enterprise Risk Management Resources/Function
- Chief Technology Officer
- Risk Committee
- What are their roles?
- Do these resources communicate with each other to ensure they connect on objectives?
Collaborative Business Continuity and Disaster Recovery Plans
- Have risk resources established, implemented, managed business continuity and disaster recovery plans?
- Are plans tailored to the organization?
- Were plan known by key stakeholders?
- Were plans current, and periodically tested/updated?
- Have critical roles/functions and their back-ups been identified?
- If an employee or multiple employees become incapable of performing job duties, can the organization reallocate and redistribute workload and duties?
- Are employees cross-trained on various functions to seamlessly transition if needed?
- Are on-the-job training materials and step-by-step procedures available to provide continuity of operations?
Response is looking at how the organization (and resources) reacted to the event, how its readiness criteria operated, and how it needed to adjust to ensure safety and continuity of operations.
- Did its processes keep its people safe and functions operational?
- Did owners of established emergency and crisis function responses operate as intended?
- Were employees made aware of updates, factors impacting safety, process changes, and protocol?
- Were systems enabled to help employees operate safely and effectively?
- Were changes in policies and procedures developed and communicated to employees timely?
- Were other risks overlooked as emphasis may have been placed elsewhere (e.g. cyber risks, compliance)?
- How did leadership react (or how is it reacting) to the event? Was there a focus on safety, execution, morale, etc.? This is critical – it represents the tone at the top, or the culture of the organization.
This is the lookback period, and the time to focus on improvement to advance the organization’s readiness and response.
- Does the organization need to focus efforts on people to own risk response functions?
- Is there a need for increased/expanded risk resources?
- Should an independent department (e.g. Internal Audit) emphasize on low probability/high impact events during a risk assessment exercise?
- How can Internal Audit, Enterprise Risk Management, and other risk functions better align and communicate?
- Does there need to be focus on audits and process assessments related to risk events?
- Does the organization need a function/body to assess its technology environment and infrastructure?
- Did the organization receive feedback from people based on experience (e.g. safety challenges, morale, etc.), and what does it intend to do what that information?
- Does leadership need to reevaluate its tone/culture?
A common thread to consider about the future following COVID-19, is the organization’s response to change. Organizations need their people healthy and safe to sustain operations and achieve their objectives. To keep their employees safe and informed, organizations should continuously monitor risks, implement recommendations from governing bodies, be agile to respond to changes in their risk environment, and periodically assess risk areas.
Risk management and internal audit professionals can assist organizations evaluate risk, response, and processes.
Processes assist the people and technology perform defined, consistent work by providing standards for performance. Processes are defined through organizational policies and described in further detail through standard operating procedures, which provide the documentation to make processes repeatable, scalable, and efficient.
The cornerstone of many audits – whether an external audit, internal audit, or compliance audit – is the policies, procedures, and processes that guide the organization. They set the foundation for what is expected and provide a measure of comparison for the performance of actual tasks. Without standardized policies, procedures, and processes, employees could be inefficient, ineffective, not addressing risks, and/or not aligning with the organization’s goals.
An organization’s operations occur inside of defined key business processes. Additionally, an organization’s risk management activities such as risk identification, control implementation, risk mitigation activities, and monitoring processes occur inside of these defined business processes. Therefore, an organization needs to continuously assess the efficiency and effectiveness of its business processes to ensure risks are appropriately identified, monitored, and mitigated.
Business processes may need to adapt based on risks identified during low probability/high-risk events. Organizations need to challenge themselves to consider business process risks in the face of the current and potential future high-risk events.
Readiness represents the organization’s position before a high-risk event and leading up to that event.
Did the organization have business continuity plans, continuity of operations plans, and/or disaster recovery plans that were documented, tested, and shared internally?
Planning helps an organization identify risks and develop strategies. But when the COVID-19 pandemic (or other high-risk event) occurred, was the organization able to implement its emergency/crisis management plans efficiently and effectively? It may not have been as smooth as anticipated but identifying what worked and what didn’t is a key to improving.
Were emergency and crisis management plans thoroughly tested? Were plans adjusted for changes in people, processes, and/or technology and tested periodically? Were changes in plans and results of testing communicated throughout the organization? Having these plans in place are a step in the right direction, however, they need to be continuously monitored, updated, and tested for effectiveness.
Were key business processes documented, communicated, and accessible?
For business processes to be repeatable and consistent, they should be documented. Many organizations have documented policies and procedures for key business functions. However, if they are not updated as needed and communicated to all employees, they could be less effective. Policies and procedures need to be easy to find and accessible if key business processes are to operate effectively regardless of an employee’s location.
Did the organization utilize cross-training, job-sharing, and succession planning as a tool to reduce the negative impact of employee losses?
If critical positions were unable to operate, is the organization agile enough to identify the need and insert replacements and ensure continuity? Are duties documented in a way that allow for new employees to step in and conduct process steps with little to no interruption in operations? Are training materials available to assist employees in on-the-job learning?
Outside of the negative morale implications of losing a critical employee, the loss of productivity and continuity can have a significant impact on operations. Forward thinking companies should be promoting cross-training and job sharing as effective tools for continuing operations. Further, the identification of critical roles through succession planning, will help organizations address unforeseen changes in staffing.
This involves looking at how the organization reacted/is reacting to the high-risk event.
Was the organization able to adjust strategies and processes to adapt to the current environment?
Not many could have imagined the impact of the COVID-19 pandemic across industries, countries, and both small and large businesses. In hindsight, the organization may have experienced some unexpected failures in business processes. But if the organization was able to identify risks or failures timely, and create or adjust strategies and processes, the impact may have been abbreviated. There is no perfect response, and we don’t know what we don’t know. Organizations need to be able to develop resilient approaches that can anticipate and respond to risks as soon as possible.
Was the organization able to identify new risks factors and develop or monitor controls in the current environment?
Reassessing risks in today’s changing environment is worrisome when conditions are unlike anything we have ever faced before. However, the changing environment may be creating risk factors that were never considered before. Is the organization considering these new risks? Is the organization able to develop and implement sufficient controls to mitigate heightened risks? Are certain departments or business processes more susceptible risk than others?
Organizations should be reaching out to management and supervisors to obtain feedback on operating conditions, risks, and controls.
Were changes to processes documented and communicated timely?
In uncertain times, communication is crucial and the speed at which it is disseminated can greatly impact decision-making and continuing operations. If new risks are identified or disruptions have occurred that impact key business processes, decisions need to be made timely to address them. Then, updates should be documented and quickly communicated to everyone within the organization. It is essential that organizations can document decisions as it may become difficult to remember and/or justify the decisions that were made without documentation.
Further, acting quickly can have unexpected outcomes. Does a new business process impact the organization’s regulatory compliance? Does the implementation of new control, create risk in another business process? Organizations need to ensure they have all the right people at the table when making changes to ensure resolutions are not creating new problems.
This is the lookback period, and the time to focus on process improvement.
What were lessons learned and how can they be utilized to improve business processes going forward?
Chances are that no business will make it out of this current pandemic event unscathed. What was learned from the event and how can the organization use that information to impact change going forward. Was the organization prepared for an event of this magnitude? How would the organization plan and prepare for future events? What did the organization do well, or poorly? What areas should have been addressed sooner? Should the organization evaluate business processes more frequently through internal audit, compliance audits, or process improvement reviews?
Organizations should seek 360-degree feedback from across the organization to identify impacted areas or risks that management may not be considering.
How can the organization utilize data captured to change business processes?
Organizations should seek out as much data as is available to assess efficiency and effectiveness of business processes. Data analytics can be useful to identify outliers, potential issues, or variance from expectations. It can also identify positive impacts, such as efficiencies gained through automation or teleworking. By analyzing data collected, organizations can swiftly provide valuable insights to support informed decisions and process improvements.
A theme throughout this blog has been an organization’s ability identify and adapt to changes. COVID-19 has been a reminder that high-risk events are real and capable of quick and significant financial, operational, and reputational impacts. Organizations need to be able to continuously monitor business process risks and be prepared for the changes that can be brought about if risks were to escalate in the future regardless of how unlikely it may currently appear.
Risk can assist the organization in preparing, responding, and recovering from this pandemic risk as well as future risk events. It is imperative for organizations to be asking the right questions – before, during, and after – the risk event has occurred to improve business processes holistically.
Technology consists of tools that enable people and processes within an organization to operate in a more efficient and effective manner. Components of technology include information systems, hardware, and software. Technology has been, and will continue to be, an innovative sector as more and more organizations rely on it to perform critical organizational functions.
Many businesses are identifying innovative ways to continue operations during disruptive events such as a reduction in staffing resources, natural disasters, and pandemics. One method to continue operations is by implementing telecommuting strategies designed to allow employees to work remotely. However, during this COVID-19 pandemic or other disruptive event, organizations may be stressing their telecommuting strategies and infrastructure, exposing themselves to additional risks by not having the appropriate technology controls in place or leveraging mature technology processes.
Readiness represents the organization’s preparedness leading up to a high-risk event.
Was the organization ready for telecommuting?
If the organization’s process for executing telecommuting is mature, there should be a seamless transition from onsite operations to telecommuting. However, if there are issues within the process, or security concerns, a technology process review may need to be considered.
Did employees have access to the tools they need to perform work remotely?
Employees require certain tools to efficiently work remotely, such as computers, mobile workstations, mobile phones, and internet. Organizations can issue these devices as the equipment that is to be used while in the office or for performing work at home or at a client site. However, disruptive events may require swift actions and decision making regarding the assignment of tools. Policies should be developed to clearly communicate the processes that must be followed to obtain or access the tools needed for working remotely.
Did the organization have policies and procedures regarding the appropriate use and security measures for these devices?
Policies and procedure establish the guidelines that are to be followed by employees within the organization. Not having an established telecommuting guideline may expose the business to additional risks, such as leaving mobile computing devices susceptible to be stolen, lost, or hacked. Further, there is a risk of failure to meet specific privacy compliance requirements such as Health Insurance Portability and Accountability Act (HIPAA). This may expose intellectual data or privately held information to being accessed by unauthorized individuals.
Did the organization have the appropriate software strategies and solutions to reduce the risk of unauthorized access to data on mobile computing devices?
Sometimes adversaries will result to physical theft of devices to gain unauthorized access. However there are several solutions that can assist in keeping your data secure, including:
- Remote Wiping: Security feature allowing the administrator of the tool to send a command to the device that will delete the data on the mobile computing device.
- Password Protection: Process of protecting securing access to the device through assigning a unique combination of characters and/or patterns.
- Device Encryption: Security feature that transform data (plain text) stored on the device into a form that conceals the data’s original meaning (ciphertext).
Response is assessing how the organization is able to deploy telecommuting technologies during a high-risk event.
Did the organization have the necessary tools to allow employees to collaborate and communicate effectively?
Although there is physical distance between team members, teams still need to operate effectively. Solutions that foster remote teamwork include:
- Collaboration Software: Applications designed to help individuals work together through organization and conversation within a single solution. Some of these applications can make and receive calls, schedule meetings, and create project working folders.
- Cloud Email: Many organizations have email software, but not all have cloud solutions. Cloud email solutions offer organizations a tool for individuals to access their email over the internet. Email software does not have to be downloaded locally, instead users can access on any capable device, as long as internet is available.
- Video Conferencing: Technology allowing users in various locations to conduct face-to-face meetings through video calls. This technology has the ability to develop stronger relationships, be used as medium for training, and foster collaborative efforts.
Did employees have appropriate access to the data and systems to execute work tasks?
A significant concern when telecommuting is securing data when employees are not in the office. Allowing employees to telecommute presents additional opportunity that an adversary may take advantage of to gain unauthorized access to confidential or private business data.
To combat these means of opportunities, organizations should apply additional safeguards that protect business data, employee information, and customer information. Some of the technology tools used to manage access include:
- Remote Access Policies: Policy that defines the standards for connecting to the organizations network from any external network. This policy sets the requirements for ensuring the appropriate configurations are met for the computer and the network in which the computer connection is routed through for access, meets the implemented policy guidelines.
- Multi-Factor Authentication: Technology that manages access only after the user successfully presents two or more factors of authentication. It involves verifying the user through something they know (e.g. password), something they have (e.g. a token identification number), and/or something they are (e.g. fingerprints).
- Private Networks (VPN): Technology that creates a private network connection within a public network connection using an encrypted tunnel. This technology allows users to send and receive data shared while connected to the VPN, as if they were on the organizations private network.
- Zero Trust: Model that follows the principal of “never trust, always verify, enforce least privilege” to entities outside or inside the organizations network perimeter. This may reduce the likelihood of adversaries obtaining additional access to critical information if access was gained to an organization’s perimeter.
This is the look back period, and the time to focus on improvements.
Were there challenges identified that need to be addressed to improve the telecommuting infrastructure and processes?
- Using Internal IT Resources: Understanding telecommuting successes and failures during disruptive events is critical to enhance the organization’s telecommuting maturity level. Lessons learned can be identified through the review of tickets associated with telecommuting and real time tracking and monitoring of telecommuting issues through system monitoring tools.
- Using Internal Non-IT Resources: Another critical action to perform is contacting employees that are being supported. Whether it be a formal reoccurring meeting, or an ad-hoc process, obtaining feedback from individuals who are telecommuting will provide valuable information on the user end.
- Using External Resources: An external resource, such as a consulting firm, can assist you in identifying, analyzing, evaluating, and addressing telecommuting risks while providing information to enhance telecommuting process maturity. Having an independent resource to perform an unbiased review of telecommuting processes will provide management with identified risks or improvement areas from individuals with diverse backgrounds. Their experience gathered from other organizations and their understanding of best practices are just some of the benefits of hiring external resources. Other benefits include easy to scale contract work without additional strain on internal resources, cost savings of not hiring a full-time employee, and independent and objective advice.
Cybercriminals are opportunists who exploit vulnerabilities within technology, processes, and people. They are aware of the potential increase in organizational exploitations during telecommuting as organizations seek to comply with social distancing requirements. However, when a well thought out telecommuting infrastructure is put into place, telecommuting can be a vital tool to aid in organizational resiliency during disruptive events.
Hopefully this snapshot into risk through the lens of people, process, and technology, and readiness, response, and recovery will help your organization to better prepare for future high-risk events. If you have any questions regarding risk management strategies and/or organizational preparedness for high-risk events, please reach out to our team.