In the last few months, the COVID-19 pandemic has disrupted every business on the planet. COVID-19 has not only introduced new risks to organizations; it has amplified and complicated existing risks organizations always faced. The virus has spurred an economic recession that’s unprecedented in scale. And it poses an existential threat to certain organizations.
Although the crisis has made life more difficult for all, it’s also created unique opportunities for risk, compliance, and security leaders to work on new issues that aren’t necessarily in their core remit, solve new problems that are urgent priorities for their board members, and elevate their own roles within their organizations.
Hyperproof recently hosted a webinar with Matt Kelly (CEO and editor of Radical Compliance) and Craig Unger (founder and CEO of Hyperproof) focused on helping risk and compliance leaders make sense of the changing risk landscape and sharing tactical ideas on how they can step outside of their traditional roles to make a meaningful impact during this extraordinary time in our history.
In this article, we’ve shared Kelly’s and Unger’s insights on how the risk landscape has shifted and the new opportunities out there for risk and compliance leaders to drive their careers forward in meaningful ways.
The Shifting Risk Landscape
COVID-19 has complicated and amplified the existing risks companies have always faced.
Security. Fraud. Workplace harassment. Supply chain.
These types of risks have dogged organizations for a long time, but they are now manifesting in different ways in the COVID-19 pandemic era. For one, as previously interpersonal business processes have shifted online, threat actors are ready to exploit these opportunities.
Software tools are suddenly being used in whole new ways. For instance, prior to COVID-19, CISOs and a company’s board members probably used Zoom to talk to one another occasionally. But it was unlikely for a CISO and a Board director to use Zoom to have strategic discussions where confidential business information is exchanged. Yet, now, executives are using Zoom to have all sorts of meetings, including meetings where confidential information is shared.
Further, due to COVID-19, business continuity risks have expanded by leaps and bounds. At this time, customers may be struggling to make payments, the viability of certain suppliers may be a real concern to your business operations, and it’s possible that your whole business model needs to be reconsidered. There’s now a much bigger field of business continuity risks that we all need to be thinking about.
At this time, there’s a pressing need for risk and compliance leaders to revisit policies and procedures, identify new risks, and implement new remediations, and they can’t afford to spend a lot of time figuring out how to do it. After all, risks must be addressed on a compressed timeline. As such, organizations will need to develop some new capabilities.
Key Capabilities Organizations Need to Have To Effectively Mitigate Risks
1. Teams Need to Be in Sync With One Another; Risk and Compliance Leaders Need to Know the Business
To effectively support their businesses at this moment, risk and compliance leaders really need to know exactly how their business operates. Many of the risks companies are dealing with now aren’t in the regulatory domain; they’re around how a business can stay viable and remain a going concern.
Kelly cited a great example to illustrate this point. He recently talked to an audit committee member at a large, publicly-traded tech company. This audit committee member gave the following advice to her fellow audit and compliance leaders:
“This is a truly scary time. Just stop with all the lingo and the standards. The number one priority is to make sure the business is still viable. Just tell me what you want to do to keep the business going.”
2. Strong Monitoring Capabilities are Needed More than Ever
More than ever, an organization needs strong monitoring capabilities. Some of that might be done by the CISO or the IT security function — such as monitoring networks for unusual activity or penetration testing. Other monitoring that needs to happen would be for unusual transactions or spending patterns or unusual changes in the third parties you’re using (e.g. software applications). “If you can’t get this rolling sense of how you’re doing today is different than yesterday, you’ll really be on your back foot. And that’s not good,” says Kelly.
3. Double Down On Training and Executive Communication to Help Employees be More Risk-Aware
Training and executive communication about how employees will need to be more risk-aware become critical during this time. Some processes that are now happening online or remotely may create new risks that you haven’t implemented sufficient compensating controls for yet. In that case, a clear policy, effective training, and a strong tone from the top will be the compensating controls until you come up with more structured controls.
Kelly cited two illustrative examples when making this point:
- People are using new digital channels to communicate; some of those channels aren’t secure. Previously, executives might have used Zoom to chat informally, but they’d never consider it for a strategy meeting where they’re sharing confidential business information. During this time, you want all of your employees and executives to be aware enough to stop and think before using a digital tool to send sensitive information and ask themselves: Should I send this message through this tool, or should I take precautions and use the phone instead?
- Workplace conduct around bullying and harassment. In-person, most of us have good judgment about how we speak to our colleagues. However, our judgment as to what’s appropriate to say may slide when we’re communicating electronically. Compliance and risk leaders should think through how abusive workplace behaviors could manifest in online communications. Slights, harassment, etc, exist differently in text than in person. How would that lead to tense work environments? How would the organization train for it, develop a policy for it, and, if something does blow up, investigate the issues?
4. Data Accuracy, Data Completeness, and Data Governance Are Essential
Prior to COVID-19, we were able to rely on face-to-face meetings as a type of verification mechanism. Now that this type of verification isn’t practical for businesses where everyone is working from home, confidence in your data becomes much more important.
“Try to get complete and accurate reports, and a common taxonomy of risks and data so everyone is working from a single source of truth. This can touch on document retention policy, data governance, and the like— they all factor into this,” says Kelly.
Data governance is important for all firms, but for some it’s a real regulatory issue. For instance, the Financial Industry Regulatory Authority (FINRA), the institution that regulates U.S. broker-dealers, covers data availability in its pandemic guidance. It says that organizations need to make critical data available.
If employees store important information on personal hard drives rather than within a central repository; there’s all kinds of risks in that behavior. It’s a compliance risk, a security risk (e.g., hackers can penetrate the personal computer) and an operational risk (e.g., if an employee gets COVID-19 virus and is out sick for several weeks and no one else can access that data).
Practical Ways to Make Positive an Impact and Advance Your Career
At this time, there are many things risk and compliance and security professionals can do to support their organizations and have a positive impact. Kelly and Craig each offered some practical ideas.
1. Becoming the “Owner” of Your Company’s Anti-fraud Programs.
Fraud risks are evolving in ways that could be dangerous and insidious. If your organization doesn’t have an internal audit team or a VP of loss prevention, someone needs to “own” anti-fraud policies and controls. People with compliance responsibilities may be potential candidates to take on the anti-fraud program.
Another good question to ask is: if not me, who? Lines of business can run their own anti-fraud activities, but they’re likely to end up with siloed activities and achieve less than if anti-fraud efforts were managed as a centralized function.
2. Brief Your Executives On What’s Coming From the Internal Reporting System.
Yes, this is a traditional compliance officer duty, but the nature and volume of calls might change dramatically due to COVID-19 — and trend analysis of internal reports could provide valuable insight into risks or flawed business processes. You can look at that data and consider briefing other execs on internal reporting trends more often, or briefing more execs who might not normally get that intel. Instead of briefing senior execs once a month or quarter about what’s coming from internal reporting systems, give LOB leaders updates on what’s happening every day. It can be a really valuable source of insights.
3. Expand Your Role From Regulatory Compliance to Broader Enterprise Risk Management
At this time, many of the biggest risks an enterprise faces aren’t regulatory issues per se. There’s an opportunity to explore how you could expand the compliance function’s domain from regulatory compliance to broader enterprise risk management.
Right now, the board and executive leadership team’s biggest concerns are operational. They might be about workplace policies on sick time or operational challenges for social distancing on the factory floor. Don’t leave those matters to operating executives alone, who might approach it in silos or not understand the importance of reporting ‘COVID risks’ to senior executives.
Now is the time to consider how you want to structure your role differently. Kelly believes that compliance and risk management are going to be fused into one single function in the near future. Why? Because all of our organizations are now relying immensely on technology for our operations. As such, the lines between security risks and operational risks are blurred significantly. Risk and compliance professionals may consider a broader purview that covers regulatory compliance and business continuity, and step up in areas where vacuums exist (e.g. standing up an anti-fraud program).
4. Continue to Provide Assurances to Your Customers That Your Systems Are Secure and Reliable
During this time, customers are going to be extra sensitive to risks of all sorts. Now is a bad time to give your customers reason to worry about your security posture or be wary of your company. The more quickly and systematically you can provide the assurance that your systems are secure, reliable, and trustworthy, the better your customers will feel about you as a third-party vendor. The better you are at governing yourself, the more attractive you become as a business partner to your customers.
5. Find Opportunities to Automate Manual Compliance Processes
COVID-19 is forcing all of us to deal with a variety of risks on a compressed timeline. Further, many organizations have had to lay off personnel — in some cases, individuals who’d previously managed some compliance processes. Efficiency has suddenly become a vital trait; you will need to find ways to help your organization be more agile and responsive in the complex risk environment that COVID-19 created.
Compliance software can give you the ability to automate manual processes and get a more holistic view of how your risks are being controlled or mitigated.
To get additional guidance and perspective on this topic, watch our on-demand webinar Beyond COVID-19: How To Build A Strong Risk And Compliance Management Function In The “New Normal”.