Risk management, control and COVID-19

by Richard Sheath

Risk Management

To use a phrase that is already in danger of becoming overworked, under the “new normal” the control environment will be different.  Boards – especially audit (and risk) committees – face new demands and hazards as they make sure that effective risk management and controls remain in place.  The control environment might have been satisfactorily solid before, but that was then.  Now you are likely to have a situation where auditors cannot work as before, risk managers are distanced from operations and travel constraints (to the office, never mind to more distant operations) mean that doing the “smell test” and seeing what’s happening on the ground just isn’t possible in the same way.

So what should boards and committees do in response?  It will mean knowing how things have changed from what worked before, combined with a heavier emphasis on the risk and control culture.  So some different questioning and techniques are needed.  Here are a few good practices to think through, as well as ones to avoid.

Good practices to consider...

Stand back and make the time to ask: how are our controls and assurance likely to have been affected? And how will they continue to be? There will be two angles. Many of the risks will have changed – you have to know that to judge how far controls remain appropriate. And the effectiveness of risk management and control procedures may have been impacted by the changed working environment. So, start with the big picture to make sure you’re focusing on the things that matter.

Triangle

Things to avoid...

Diving straight down into the detail. Once you get to an operational or business line level, the granularity might mean you miss the big-picture shifts in risks and risk management. For example, the impact on the business model and supply chains, the macroeconomic impact on customers and suppliers, the risks that come with Working From Home, the people-related pressures, the impact on the soft controls. The context has changed, possibly massively. So any risk and control assessment needs to be made with an acute sensitivity to the new environment.

Good practices to consider...

Then break it down into the different parts so that you have a clear (well, clearish) picture of the impact on each area. Ask management to analyse each of the big risk and control categories separately, to show how they might have been affected and how mitigation is working. And do the same by country and possibly by line of business. How have supply lines been affected? Or particular categories of product or service? Have any of our financial risks been upended as the business model comes under strain?

Triangle

Things to avoid...

Thinking that the risks are unchanged and that decision-making and checking are carrying on as normal. Automated checks are probably continuing to operate. But a lot of situations will see significant shifts in the risk profile. For one thing, there will be workarounds and rework where the old ways are no longer quite right for the job. So management needs to show you that they have an alert eye on every important process and related risk management procedure.

Good practices to consider...

Work through the Working From Home consequences, both in the short term and in the post-crisis period. It will be multi-faceted. The cyber/IT security profile will be different (and quite scary in some ways). And working outside conventional office-related control environments brings new challenges, as the controls that come from conventional management supervision, peer pressure and shared decision-making come under pressure.

Triangle

Things to avoid...

Carrying on regardless. It might seem that people have switched surprisingly smoothly and are managing quite well. (Even to the extent that doing more of it seems like a good option for the future.) But have the risk and control consequences been surfaced and tackled? Remote checking of devices and VPN will help manage some of the risks. But what is each individual’s working environment – say around access controls? Or inadvertent snooping? Or shredding? Are conference calls being broadcast to the neighbours from patios on sunny days? If home working is to become a new norm, it needs controls that are made to fit the new circumstances.

Good practices to consider...

Keep a close eye on the non-process risks that might be storing up trouble for the future. The legal liabilities, customer conduct issues, regulatory and compliance gaps, staff welfare claims…the list could be long. NEDs are in a good position to help management spot these, as they should be keeping their sights above the immediate day-to-day risk management.

Triangle

Things to avoid...

Postponing thinking about these seemingly non-immediate challenges until a less rainy day. They haven’t gone away and it’s better to get on top of these threats now than to let them build up and then hit you hard later when the damage has already been done.

Good practices to consider...

Discuss the geographical angle. With different countries, and even national regions, undergoing different levels of difficulty over varying timescales, one size will not fit all. At the central hub, a board or committee is going to need a well-explained picture of the relative risks and corresponding risk responses.

Triangle

Things to avoid...

Assuming that what applies at (virtual) Head Office is what holds elsewhere across operations centres, subsidiary offices and extended networks, especially when they are in places where different conditions and cultures prevail. The discrepancies might be direct and measurable, for example different infection rates and the impact on “return to work” plans. Or it might be cultural (attitudes to socializing, home living and working options etc) And some environments might be more prone to a second wave than others.

Good practices to consider...

Help the internal auditors work out how they can still deliver assurance – and what new risks and controls they need to look at. That will probably mean more committee time, and possibly more regular interaction with the committee chair. The discussion needs to include changes to priorities, how IA is adjusting the audit approach and gathering evidence, and what resources might be needed to achieve a sufficient level of assurance. Plus, what they are doing to help you get the confidence you need around the risk culture. Asking about the cultural aspects and behavioural root causes can often be lost: it needs to be up front and centre.

Triangle

Things to avoid...

Continuing to treat “Audit Completion Against Plan” as the most important metric. The world has changed and the last thing Internal Audit should be doing is sticking to the approach and priorities agreed in the old world. Both the plan and the audit approach need to change, possibly radically. A fresh pair of eyes, some sage advice, and maybe support for more resource will be valuable help to the Head of Internal Audit. Moreover, the audit committee will need to understand how the quality of audit work has been affected by remote working, with no onsite observation or face-to-face questioning, and what that means for the overall level of assurance.

Good practices to consider...

Spend whatever time is needed with the external auditors. The consequences for external audit processes are likely to be far-reaching, and questions around reporting requirements and risks such as going concern, provisioning and asset valuations highly complex and uncertain. The audit firms will be all over this – after all, they don’t want to take any more risk either. Some tough judgement calls will need to be made, with potentially huge consequences. Audit committees need to get on top of all this from the outset if they are to help shape the outcome.

Triangle

Things to avoid...

Using the high levels of uncertainty that currently prevail as a reason to “wait and see” – leaving it until towards the reporting deadline to discuss what’s changed and what’s been done. That’s an open invitation for the audit committee to get unpleasant surprises. Asking for regular, early communications from management and auditors is the committee’s prerogative and it needs to take it.

Good practices to consider...

Look at how the Second Line has been affected – particularly risk management and compliance. They will have needed to adapt their focus, methods and communication. It is hard to imagine that their effectiveness has not been impeded – so the committee needs to get a view of this and how much it matters.

Triangle

Things to avoid...

Failing to appreciate how much reliance came from good communication and in-person contact. When we ask stakeholders about the effectiveness of the risk management and compliance functions, often it’s about the quality of communication, advice and support. That’s more difficult when working virtually. So the committee needs to know what the Second Line is doing to make up for this impact on their effectiveness.

Good practices to consider...

Speak to the regulators about the impact on risk management and control and what you’re doing about it. Just like the board, they don’t like surprises. And they can even be understanding and supportive if they are kept informed in an open and timely way. In particular, don’t neglect to tell them what you are doing to get confidence in the risk culture. They are very alert to the importance of this.

Triangle

Things to avoid...

Putting the regulators too far down the priority list. With everything else that’s happening, they might get briefed too tardily or worse, not at all. And this doesn’t only apply to financial institutions: charities, pension fund trustees, utility companies, media and telecoms, travel… Most organisations are accountable to one or more regulatory bodies, who will be anxious to know not only whether you’re viable but also that you’re maintaining the control environment and the processes that will keep you compliant with regulatory obligations.

Ready to speak to a board evaluation specialist?

Learn how we help boards to become more effective and have a bigger impact on strategic performance.

CONTACT US

Board Evaluations

Our Latest News

  • 2020 Shock? Take Stock

    Line 3
  • A more strategic role for the Company Secretary

    Line 3

Subscribe to our monthly board bulletin