QA Risk Management

Q&A: Risk Management in the Time of COVID

When you consider the impacts of the COVID-19 pandemic on businesses, you probably find yourself quick to mention cash flow and liquidity, supply chain impacts, and, of course, the lasting effect on workforces. But wrapped up around those items is a business’ risk management program – the essential policies, procedures and controls it uses to dictate disaster response – and it’s an area that’s been tested greatly in the past year.

We recently spoke with Lisa Whittemore, Partner in MFA’s Risk Advisory Practice, and asked her to share some insight into how businesses have reacted in the wake of COVID and how they can prioritize risk management programs moving forward.

Q: It’s now been a full year since the COVID-19 pandemic first caused large-scale disruptions at the corporate level. If you revisit those first few months in particular, how did you see businesses addressing risk management at the outset?

Lisa Whittemore (LW): I think the fear and uncertainty that a lot of us were feeling on a personal level at the time was also permeating through the business community. And because we were seeing shutdowns nearly immediately, owners and leadership teams had to think quickly on their feet. From a business continuity perspective, they needed to understand how to continue operating at the same level with employees forced to work remotely and physical office locations unavailable.

So the pandemic really forced companies to look internally very quickly and acknowledge whether or not they were prepared for a disaster of this magnitude.

Q: How, in those early moments, were companies assessing those immediate impacts?

LW: A natural first step was to complete an internal process and controls assessment. As an example, businesses needed to understand if they had gaps in their operations and systems security which would hinder or halt ongoing production given that employees were no longer in the office.

Some questions that immediately arose: Were there operational procedures that were disrupted due to the pivot to remote work? What would the processes, requirements and costs be to ensure the safety of those who were still required to go into the office? Were they able to effectively communicate with their workforce and with customers? If there were workforce reductions, what measures were taken to keep their existing processes and controls tight? What modifications needed to be made to ensure segregation of duties or security of systems access?

Even businesses that had previously embraced telecommuting weren’t necessarily prepared to answer all of these questions on day 1 of the COVID lockdowns.

Q: You mentioned security, which is obviously a critical concern when you’re dealing with a remote workforce and aspects of business operations being transitioned to a virtual setting.

LW: Security controls are arguably the most essential piece of an effective business continuity (BC) and disaster recovery (DR) plan. Even if your business is well-enabled from a technology perspective, having a primarily remote workforce always introduces new layers of concern. What about the risks posed by home office security? Are employees using secure, VPN access or are they hopping on their neighbor’s unsecured Wi-Fi? If their home isn’t a conducive workplace, are they using public Wi-Fi at a local library or coffee shop? Are system updates still able to be pushed to remote employees timely and completely? What kind of information can be accessed or shared offline? There’s a lot to unpack there and account for.

Q: I’d imagine this also opens the gate for other risk management concerns such as fraud.

LW: Absolutely. If those security processes and controls aren’t assessed and modified – and in a timely manner – you’re opening your business up to significant risks. If there was a reduction in workforce, particularly, there’s potential for malicious activity. If an individual is motivated and has the means, and their access wasn’t terminated properly or in a timely manner, what kind of havoc can they wreak?

Even inadvertently, without malicious intent, it’s critical that businesses are taking the necessary steps to secure internal controls to mitigate these types of potential disruptions.

Q: What do you think has been the biggest learning shift or realization that companies have come to grips with in the past year with regard to their controls and compliance programs?

LW: Definitely staying on top of those Disaster Recovery and Business Continuity Plans. It requires diligence to ensure those documents are applicable to your distinct operations, are living and breathing and also that they’re effectively communicated throughout the organization. Putting it all on paper is essential – don’t get me wrong. But if the right people don’t know what steps to take to react in these scenarios, those plans aren’t going to do much good.

I was impressed to see the willingness amongst my base of corporate customers to mobilize and appreciate the urgency needed to address risk and control programs. This past year has been a great test of existing disaster and continuity plans, and I think it provided clarity to a lot of businesses who would have otherwise thought they were prepared for anything.

MFA Observations
In the coming months, we’ll be taking a closer look at risk management practices and sharing guidance for businesses grappling with the lasting impacts of the COVID-19 pandemic. Stay tuned!In the meantime, if you’d like to schedule an internal controls assessment or learn more about working with MFA’s Risk Advisory Team, please connect with us.

Contact Us

Related posts
nonprofits after covid19

Considerations for Nonprofits in the Post-COVID-19 Environment

When thinking about how nonprofit organizations have adapted over the past year—and will continue to…

Read More
covid fraud

How the Pandemic Highlighted Corporate Fraud Risks

The COVID-19 pandemic reminded us of the risk of financial statement fraud and the increased…

Read More