This is the first part in a series of articles exploring COVID-19 Key Risks.
Many organisations have requested information and commentary in relation to risk and the impact of the COVID-19 pandemic on organisations, and many are querying which changes they should be making to their risk registers.
The COVID-19 pandemic will change the ways organisations operate in both the short and long term. What is the ‘new normal’ for businesses? What are the key risks for organisations right now? Which areas should organisations focus on in order to maintain high standards of governance, risk management and compliance?
The register could be used to focus the organisation’s leadership on these specific risks and on the implementation of controls to manage these risks. Many risk controls may already be in place in the organisation, so it is therefore essential to start by evaluating the effectiveness of the current controls in place to manage each risk. For example, if there is already a fraud and corruption program in place, check whether it is properly addressing staff working from home. After reviewing the effectiveness of the current controls, the next step is to plot the likelihood and consequence to obtain a risk rating. After rating each risk, the organisation’s leaders should consider what additional controls or ‘risk treatments’ may be required. It is a cyclical, continuous improvement process so that once the risk treatments or additional controls are implemented, a further review of the risks and the effectiveness of the risk controls for each risk should be undertaken regularly.
Create a checklist that can be reviewed by leadership every few months that will focus their discussion and decision making in relation to these issues to assist in identifying problems and finding solutions.
Provide a short summary of the issues related to the risks to alert staff and key stakeholders and increase their awareness of these issues. At the same time, you could also indicate what additional measures are being implemented to address the issues such as an action plan.
There are many events that have the potential to significantly disrupt the normal business functions of an organisation. These events can collectively be referred to as risks to business continuity. The challenge for any organisation is develop a comprehensive business continuity plan (BCP) to support and enable normal business functions to be maintained in the event of the materialisation of a risk to business continuity.
Business continuity planning should involve consideration of both the likelihood and the consequences associated with the many risks that threaten business continuity. Organisations should therefore consider what steps can be taken to reduce the likelihood of a risk to businesscontinuity occurring and, if the risk does materialise, what steps can be taken to reduce the consequences or impacts on business continuity. All of this should be included in a comprehensive business continuity plan (BCP). An organisation’s hard-won reputation can quickly diminish if responses to critical incidents and natural disasters are badly handled and chaotic. A comprehensive BCP is designed to enable a systematic and planned response to any threats to business continuity.
Prior to the COVID-19 pandemic, many organisations already had well developed BCPs and those that didn’t probably wished that they did. However, even organisations with a BCP have found that their BCP did not adequately account for the scale and complexity of the interruption caused by the COVID-19 pandemic–and it’s not over yet. Many BCPs did not identify a global pandemic as a source of business interruption and, even where it was included as a source of interruption, the BCPs often did not foresee what has occurred in relation to the COVID-19 pandemic so far. The COVID-19 pandemic has highlighted that constant effort is required to improve business resilience, and that organisations need strategies, tools and effective people to adapt quickly. For an organisation to have confidence in their BCP they need to ‘stress test’ the BCP. This can be done by using a wide range of ‘what if’ scenarios to determine whether the BCP is actually effective in helping to maintain business continuity.
Organisations also have an opportunity to learn from the COVID-19 pandemic and consider what they might do differently to help maintain business continuity, should the same or similar circumstances arise, or a COVID-19 ‘second wave’ occur. Just because lockdown restrictions are easing does not remove the need for careful ongoing business continuity planning. Ongoing business continuity risks from the COVID-19 pandemic include one or multiple positive tests within the organisation, potential further general periods of lockdown, and the possibility that some businesses may have a substantial period of lockdown if their premises are in a pandemic ‘hotspot’. Consideration should also be given to similar disruptions occurring to supply chains.
Any failure to maintain business continuity can lead to a lack of confidence in the organisation and its leadership which in turn is likely to lead to a loss of business and the loss of good staff. While organisations will generally have retained the support of their key stakeholders while negotiating the initial phase of the COVID-19 pandemic (which seems now to be coming to an end), those same stakeholders are unlikely to continue their support should there be any major mistakes and missteps in relation to any further lockdowns.
Many organisations will have a business continuity risk in their risk registers. The risk should be worded as a failure to have an adequate BCP and could read like this:
BCP Risk
Failure to implement and maintain a business continuity plan appropriate to the size, nature and level of complexity of the organisation.
Some organisations are also including ‘pandemic risk’ as a risk in their risk registers, which could read like this:
Pandemic Risk
Failure to have systems, policies, resources, and procedures in place, to substantially avoid major impacts to business continuity and financial viability from a global pandemic that substantially impacts the local population.
CompliSpace is helping organisations of all sizes manage these challenges via our GRC tool (CompliSpace Assurance) and our consulting services. Download a brochure of CompliSpace Assurance. Contact us to request a demo for your organisation. In the next section see some of the ways we are helping our clients.
There are numerous ways to use the CompliSpace Assurance System to help you address business continuity challenges. We've provided a few suggestions below. CompliSpace clients can contact their Consultant for additional help.
The CompliSpace Assurance tool can help you evaluate the impact of the COVID-19 pandemic on your organisation, looking both internally and externally.
For internal review, CompliSpace Assurance can be used to create a survey to proactively assess the impacts on your staff of the new ways that your organisation is conducting business. This will provide value added feedback to senior management and the board.
For external review, you can monitor your external service providers and contractors by sending them a due diligence checklist to complete. Questions might include whether they expect any disruption to supply chains or substantial changes to business as usual operations. You can set this up in CompliSpace Assurance as a form or checklist.
A CompliSpace Consultant can assist you in identifying, analysing, evaluating, and treating your risks. If you do not have a business continuity, incident management, risk management or crisis plan, or if the ones you do have are not working, it is not too late to seek advice to review, improve, create or implement.