Risk management, control and COVID-19

Risk management, control and COVID-19

To use a phrase that is already in danger of becoming overworked, under the “new normal” the control environment will be different. Boards – especially audit (and risk) committees – face new demands and hazards as they make sure that effective risk management and controls remain in place. The control environment might have been satisfactorily solid before, but that was then. Now you are likely to have a situation where auditors cannot work as before, risk managers are distanced from operations and travel constraints (to the office, never mind to more distant operations) mean that doing the “smell test” and seeing what’s happening on the ground just isn’t possible in the same way.

So what should boards and committees do in response? It will mean knowing how things have changed from what worked before, combined with a heavier emphasis on the risk and control culture. So some different questioning and techniques are needed. Here are a few good practices to think through, as well as ones to avoid.

Good practices to consider…

Stand back and make the time to ask: how are our controls and assurance likely to have been affected? And how will they continue to be? There will be two angles. Many of the risks will have changed – you have to know that to judge how far controls remain appropriate. And the effectiveness of risk management and control procedures may have been impacted by the changed working environment. So, start with the big picture to make sure you’re focusing on the things that matter.

Things to avoid…

Diving straight down into the detail. Once you get to an operational or business line level, the granularity might mean you miss the big-picture shifts in risks and risk management. For example, the impact on the business model and supply chains, the macroeconomic impact on customers and suppliers, the risks that come with Working From Home, the people-related pressures, the impact on the soft controls. The context has changed, possibly massively. So any risk and control assessment needs to be made with an acute sensitivity to the new environment.

Good practices to consider…

Then break it down into the different parts so that you have a clear (well, clearish) picture of the impact on each area. Ask management to analyse each of the big risk and control categories separately, to show how they might have been affected and how mitigation is working. And do the same by country and possibly by line of business. How have supply lines been affected? Or particular categories of product or service? Have any of our financial risks been upended as the business model comes under strain?

Things to avoid…

Thinking that the risks are unchanged and that decision-making and checking are carrying on as normal. Automated checks are probably continuing to operate. But a lot of situations will see significant shifts in the risk profile. For one thing, there will be workarounds and rework where the old ways are no longer quite right for the job. So management needs to show you that they have an alert eye on every important process and related risk management procedure.

Good practices to consider…

Work through the Working From Home consequences, both in the short term and in the post-crisis period. It will be multi-faceted. The cyber/IT security profile will be different (and quite scary in some ways). And working outside conventional office-related control environments brings new challenges, as the controls that come from conventional management supervision, peer pressure and shared decision-making come under pressure.

Things to avoid…

Carrying on regardless. It might seem that people have switched surprisingly smoothly and are managing quite well. (Even to the extent that doing more of it seems like a good option for the future.) But have the risk and control consequences been surfaced and tackled? Remote checking of devices and VPN will help manage some of the risks. But what is each individual’s working environment – say around access controls? Or inadvertent snooping? Or shredding? Are conference calls being broadcast to the neighbours from patios on sunny days? If home working is to become a new norm, it needs controls that are made to fit the new circumstances.

Good practices to consider…

Keep a close eye on the non-process risks that might be storing up trouble for the future. The legal liabilities, customer conduct issues, regulatory and compliance gaps, staff welfare claims…the list could be long. NEDs are in a good position to help management spot these, as they should be keeping their sights above the immediate day-to-day risk management.

Things to avoid…

Postponing thinking about these seemingly non-immediate challenges until a less rainy day. They haven’t gone away and it’s better to get on top of these threats now than to let them build up and then hit you hard later when the damage has already been done.

Good practices to consider…

Discuss the geographical angle. With different countries, and even national regions, undergoing different levels of difficulty over varying timescales, one size will not fit all. At the central hub, a board or committee is going to need a well-explained picture of the relative risks and corresponding risk responses.

Things to avoid…

Assuming that what applies at (virtual) Head Office is what holds elsewhere across operations centres, subsidiary offices and extended networks, especially when they are in places where different conditions and cultures prevail. The discrepancies might be direct and measurable, for example different infection rates and the impact on “return to work” plans. Or it might be cultural (attitudes to socializing, home living and working options etc) And some environments might be more prone to a second wave than others.

Download This Post

To download a PDF of this post, please enter your email address into the form below and we will send it to you straight away.



Ready to speak to a board evaluation specialist?

Learn how we help boards to become more effective and have a bigger impact on strategic performance.