Q&A: Risk Management in the Time of COVID
When you consider the impacts of the COVID-19 pandemic on businesses, you probably find yourself quick to mention cash flow and liquidity, supply chain impacts, and, of course, the lasting effect on workforces. But wrapped up around those items is a business’ risk management program – the essential policies, procedures and controls it uses to dictate disaster response – and it’s an area that’s been tested greatly in the past year.
We recently spoke with Lisa Whittemore, Partner in MFA’s Risk Advisory Practice, and asked her to share some insight into how businesses have reacted in the wake of COVID and how they can prioritize risk management programs moving forward.
Q: It’s now been a full year since the COVID-19 pandemic first caused large-scale disruptions at the corporate level. If you revisit those first few months in particular, how did you see businesses addressing risk management at the outset?
Lisa Whittemore (LW): I think the fear and uncertainty that a lot of us were feeling on a personal level at the time was also permeating through the business community. And because we were seeing shutdowns nearly immediately, owners and leadership teams had to think quickly on their feet. From a business continuity perspective, they needed to understand how to continue operating at the same level with employees forced to work remotely and physical office locations unavailable.
So the pandemic really forced companies to look internally very quickly and acknowledge whether or not they were prepared for a disaster of this magnitude.
Q: How, in those early moments, were companies assessing those immediate impacts?
LW: A natural first step was to complete an internal process and controls assessment. As an example, businesses needed to understand if they had gaps in their operations and systems security which would hinder or halt ongoing production given that employees were no longer in the office.
Some questions that immediately arose: Were there operational procedures that were disrupted due to the pivot to remote work? What would the processes, requirements and costs be to ensure the safety of those who were still required to go into the office? Were they able to effectively communicate with their workforce and with customers? If there were workforce reductions, what measures were taken to keep their existing processes and controls tight? What modifications needed to be made to ensure segregation of duties or security of systems access?
Even businesses that had previously embraced telecommuting weren’t necessarily prepared to answer all of these questions on day 1 of the COVID lockdowns.
Q: You mentioned security, which is obviously a critical concern when you’re dealing with a remote workforce and aspects of business operations being transitioned to a virtual setting.
LW: Security controls are arguably the most essential piece of an effective business continuity (BC) and disaster recovery (DR) plan. Even if your business is well-enabled from a technology perspective, having a primarily remote workforce always introduces new layers of concern. What about the risks posed by home office security? Are employees using secure, VPN access or are they hopping on their neighbor’s unsecured Wi-Fi? If their home isn’t a conducive workplace, are they using public Wi-Fi at a local library or coffee shop? Are system updates still able to be pushed to remote employees timely and completely? What kind of information can be accessed or shared offline? There’s a lot to unpack there and account for.
Q: I’d imagine this also opens the gate for other risk management concerns such as fraud.
LW: Absolutely. If those security processes and controls aren’t assessed and modified – and in a timely manner – you’re opening your business up to significant risks. If there was a reduction in workforce, particularly, there’s potential for malicious activity. If an individual is motivated and has the means, and their access wasn’t terminated properly or in a timely manner, what kind of havoc can they wreak?
Even inadvertently, without malicious intent, it’s critical that businesses are taking the necessary steps to secure internal controls to mitigate these types of potential disruptions.
Q: What do you think has been the biggest learning shift or realization that companies have come to grips with in the past year with regard to their controls and compliance programs?
LW: Definitely staying on top of those Disaster Recovery and Business Continuity Plans. It requires diligence to ensure those documents are applicable to your distinct operations, are living and breathing and also that they’re effectively communicated throughout the organization. Putting it all on paper is essential – don’t get me wrong. But if the right people don’t know what steps to take to react in these scenarios, those plans aren’t going to do much good.
I was impressed to see the willingness amongst my base of corporate customers to mobilize and appreciate the urgency needed to address risk and control programs. This past year has been a great test of existing disaster and continuity plans, and I think it provided clarity to a lot of businesses who would have otherwise thought they were prepared for anything.
In the coming months, we’ll be taking a closer look at risk management practices and sharing guidance for businesses grappling with the lasting impacts of the COVID-19 pandemic. Stay tuned!
In the meantime, if you’d like to schedule an internal controls assessment or learn more about working with MFA’s Risk Advisory Team, please connect with us.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented is believed to be factual and up-to-date; however, MFA makes no guarantee as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.