The metaphor of a black swan is used to describe a completely surprising, hard-to-predict event with a major effect on people’s lives. Does the COVID-19 pandemic fulfill the criteria of unpredictability, even though many (including Bill Gates) had been warning the world about the possibility of an outbreak? One thing is certain: 2020 will be life changing. What does it mean for GRC (governance, risk, compliance)?
History shows that pandemics, epidemics, and infectious diseases have killed more people worldwide than natural catastrophes and wars. Both George Bush (in 2005) and Barack Obama (in 2014) warned about the next pandemic in their speeches. In 2018, during one of his TED Talks, Bill Gates talked about a possible pandemic outbreak. What Gates wanted us to know was that the world was totally unprepared for that sort of event. It appears he was right.
Business-wise, one of the biggest challenges in times of any crisis is to pay attention to crucial aspects of your company, strengthen the compliance division, and ensure it is ready to function in a disrupted, digitized world.
I would like to share with you 4 such key aspects to take into consideration.
2020 is a year of disruption and lockdown. We can see that organizations had not considered the possibility of a pandemic outbreak and had not been prepared for its consequences (something like COVID-19 seemed too abstract to happen). This is why the current pandemic should become an impulse to prepare for future times of unpredictability and to make plans for business continuity.
Verifying all mechanisms which enable the company to function in disruptive environments is the first step to take. Risk profiles provide the management with information necessary to picture all risks at the company. Risk profiles are usually a kind of executive summary of an entire risk analysis, with crucial areas highlighted. A bigger picture means better decisions.
The pandemic necessitated a fundamental update to companies’ risk management. And as we know, history repeats itself, so let us try to explain what an “epidemic” risk profile looks like.
Risk profiles are different for each company, but no matter what, one or more of the following scenarios could happen to anyone:
- Scenario 1: Personnel shortages. Pay attention to: Unavailability of key personnel, unavailability of a significant proportion of personnel at all levels.
- Scenario 2: Inaccessibility of the workplace.
- Scenario 3: Interruptions and irregularities in services provided by third parties.
- Scenario 4: Limited feasibility of other fallback plans.
It is the first lesson to learn: strengthen risk management divisions and build risk profiles, even (or especially) for what seems to be an unbelievable cliché from B-class sci-fi movies.
Business continuity in the time of plague in a nutshell — I highly recommend reading about it in this article.
Do you want to create risk profiles for your company? Read more about risk profiles and special measures in an era of unpredictability in my last article.
Cooperating with third parties is also a risk to manage. Rapid digital transformation involves the outsourcing of many processes to create a fully digital company environment. This means that vendor selection becomes more important than ever — “bad” experiences could cause reputational damage, regulatory violations, and interruptions to business operations. Are vendors manageable? Establishing a vendor management program in your company needs 8 steps. What are these? I am happy to share with you an article by Jan Anisimowicz on precisely this topic. Discover a practical approach and tips to help you build efficient and long-term risk management processes, and thus avoid bad subcontractor choices.
Cybersecurity as rule number one
During the ongoing pandemic we have seen an increase in the number of malware and phishing campaigns, many of them related to COVID-19. Those included even targeted attacks on known organizations, such as WHO and the Gates Foundation. And this is just the tip of the cybersecurity iceberg.
The workplace has changed fast so far, but the pandemic strengthens disruptive work environment processes. We used to talk a lot about cyber risk, but reality far exceeded our predictions. A report by Bitdefender, “The Indelible impact of COVID-19 on Cybersecurity” states that 86% of infosec professionals noticed that attacks in the most common attack vectors were on the rise during the COVID-19 pandemic. What is more interesting, at the same time half of them admitted that they had no contingency plan in place for the pandemic.
Infosec professionals report that, in their opinion, phishing or whaling attacks (26%), ransomware (22%), social media threats/chatbots (21%), cyberwarfare (20%), trojans (20%), and supply chain attacks (19%) have intensified during the pandemic — and that is to name but a few attack vectors.
All this means that organizations need to build risk profiles and maps that take into consideration a bunch of new threats. And they must make cybersecurity a strategic pillar of their organization.
Be compliant inside and outside
Many pundits agree that compliance teams will be central to the survival and protection of companies. Yet compliance is a tough nut to crack. The pandemic intensifies challenges. In addition to COVID-19 implications (both current ones and future consequences), organizations must get in line with anti-money laundering legislation, pay closer attention to sanctions compliance, find a way to demonstrate the company’s commitment to upholding environmental, social and governance standards (organizations will need to internally assess their compliance with environmental standards, labor laws, etc.), and more.
Two best words to describe compliance soon will be “nimble” and “digital”. Several recent large scandals, such as the one at Australia’s Westpac bank (Regulators accused Australia’s Westpac Banking Corp (WBC.AX) of 23 million breaches of anti-money laundering laws, saying the banking giant ignored red flags and for years enabled payments from convicted child sex offenders and “high risk” countries), resulted from the failure to turn intelligence into action. This means regulators will actively look for strong compliance programs that not only offer early detection, but also have action procedures for teams seeing some “red flags”.
In addition, since the COVID-19 outbreak, we have been witnessing the importance of risk mitigation and agility — taken together, these two guaranteed a fast switch into fully effective functioning of crucial company areas. Now, after the increase in cyber-attacks, we should take into account that many organizations will also be required to meet a variety of cybersecurity and privacy regulations.
And this is not all. Work from home is inherently more risk-prone than in a corporate setting, owing to less strict control that can be exercised over, among other factors, who can physically access the hardware. Our “new” work culture has thus become more risky. A survey conducted by IBM found that 54% of employees would prefer to primarily work remotely. Of those surveyed, 75% said they would like to continue to work from home in at least a partial capacity, while 40% of respondents said they feel strongly that their employer should give employees the choice to opt-in to remote work.
It seems like the disrupted workplace will be with us for longer than we thought.
Crisis go, crisis come
The COVID-19 pandemic could be treated like a benchmark. By learning to take into consideration such challenges as the climate crisis or possible future lockdowns (the second wave of infections is spoken about loudly and nobody knows what it will look like), companies should change their approach to unpredictability and use the latest tools… to try to manage it!