Reassessing Risk While Operating Any Organization During a Pandemic
By Lawrence Baye, CMC, CISA, Principal and Mark D. Bednarz, CPA, CISA, CFE, Partner
While organizations continue to adapt their operating practices during the ongoing pandemic and associated recession, it is clear that some of the challenges executives and Boards face are, in fact, significant risks that could result in reputational damage, regulatory compliance failures, fraud as well as financial loss. Prior to the COVID-19 outbreak, these challenges may have been recognized, but the risks were viewed as either unlikely to occur or, if they materialized, of minimal impact. Now, however, we know that they require a fresh look with special attention paid to the following areas and the related questions posed.
Information Technology Security
Bad actors, including foreign hackers and disgruntled employees, are using the pandemic as an opportunity to sell counterfeit items (e.g., low quality PPE or defective raw materials that may end up in manufactured products), take control of networks and application systems (e.g., ransomware attacks on hospitals, schools and utilities), steal sensitive information (e.g., customer pricing lists, recipes and formulations used in production, credit card data), apply for loans and grants they are not entitled to, and divert funds to their accounts. Are you sure you know your exposures?
Cash Flow Projections
The combination of reduced sales activity, delays in collecting outstanding receivable balances and unplanned costs associated with enhanced sanitation and paying top dollar for items in short supply makes micromanaging cash flow a priority in order to fund day-to-day operations and capital projects. Are the spreadsheet models used for projections sufficiently robust to accommodate real-time changes in data, conditions and assumptions?
Supply Chain Disruptions
Companies moved to “just-in-time” ordering and replenishment of goods as a means to reduce inventory carrying costs, reduce the risk of obsolescence and defer the purchase expense until the item was actually required. However, if now we find the item is no longer available because the vendor went out-of-business or delayed in shipment because an overseas factory was shut-down last Spring, what options are available to the business?
Internal Control Environment
Most policy and procedure manuals were never designed with remote or hybrid operations in mind and now need revision. However, have you considered that the potential for fraud is much greater since your internal control structure has changed if you ask employees to pitch in and perform activities that raise segregation of duty conflicts or have turned to electronic signatures instead of manual signatures on paper documents for approval of invoices pre-payment or as evidence of reconciliation review?
Employees used to spending their days in an office environment and who now work from home may be stressed by juggling child care responsibilities, fearing job loss or concerns about advancement and feeling disconnected from their colleagues. Since onboarding new hires and training in the event of turnover is a challenge now, what is being done to address employee concerns while keeping them productive?
Absent face-to-face meetings and events that allow executives to convey their strategic goals, speak to their progress in achieving the organization’s mission and listen to the needs and feedback of its Board members, customers, employees and other parties, what steps are being taken to bridge this gap and are they effective?
During recessions, many third parties lack the resources to sustain service levels and meet the commitments specified in contracts. When combined with a pandemic, some may be forced to cease operations. In addition, a compromised fiscal position may prevent a third party from making the necessary investments to keep pace with customer demand or competitor offerings. Does your organization know which relationships may be at risk and what can or should be done from a contractual perspective?
Social Media and Privacy
Employees working remotely may intentionally or inadvertently access and download sensitive information (e.g., payroll records, product design specifications) on their home computers and then retain the files on their personal backup drive or in cloud-based storage. The same personnel may also fail to shred printouts and reports and, instead, dispose of the papers as part of household trash. Finally, in a more relaxed home environment, employees may post information on social media that should not be disclosed. What measures are being taken to reinforce these policies and monitor abuses?
Keeping pace with required reporting, license and permit renewals, filing deadlines and other compliance obligations is far more challenging when the normal schedule and sequence of activities are disrupted. Who is responsible for monitoring regulatory guidance to determine if there are any non-compliance threats and any adjustments required by governmental bodies?
Business Contingency Planning
Most organizations never contemplated a public health crisis in their business continuity planning because we have never experienced a pandemic during our lifetimes. Has the plan been modified to reflect current operations and are table top exercises or simulations performed to determine whether all concerns have been vetted?
With so many risks lurking on the horizon ‒ the next public health crisis, droughts, fires and flooding due to climate change, economic uncertainty, social unrest ‒ now is the time to take a fresh look at your risk management program or to conduct an initial risk assessment so your organization is better prepared for the future.
If you have questions or need assistance with your organization’s preparation and response to this viral pandemic, you can reach out to Larry Baye, Risk Advisory Principal at firstname.lastname@example.org or Mark Bednarz, Risk Advisory Partner at email@example.com who will be pleased to assist you