Enterprise risk management to support crisis response – a process, not a project

The COVID-19 pandemic has forced businesses of all sizes to navigate new ways of doing business on top of dealing with immediately pressing cash flow concerns. This rapid shift in priorities has left many organizations more vulnerable to certain risks. In Baker Tilly’s webinar, Crisis, continuity and recovery: a real-time enterprise risk workshop, our specialists discuss how organizations can identify and mitigate risks in real time with special attention to cybersecurity and fraud risks.

While the immediate fallout from COVID-19 is beginning to level out as organizations and employees settle into the new normal and aid is being made available by the U.S. government, the risks associated with the situation are still very much ongoing. The first step to mitigating any risk is identifying it, which is where enterprise risk management (ERM) can help.

ERM is concerned with how you manage your business’s risk every day – not just during a downturn – and making that process more transparent to your leaders by formalizing it. During a downturn, it can certainly be difficult to focus on more than the negatives of the situation, but some organizations are discovering opportunity (the upside of risk). ERM can help you identify both.

While each organization’s ERM program is going to be different, the basic structure should consider the following process:

• Identify and assess: Identify your key risks and assess the likelihood and impact level of each risk; consider 10-15 risks to focus on proactively with your board and leadership; and identify who will be responsible for managing each risk
• Respond: What action will be taken? Will you mitigate risks via internal controls, share risk with a third party (e.g. insurance), or exit that risk all together?
• Monitor: Monitor your organization, industry and environment to determine how the risk landscape is changing and whether your responses are effective
• Improve: Identify if the mitigation process is still in place and working, and if the people in charge of mitigating each risk are still the right ones to be doing so.

Broadly speaking, it’s important to note that having your risks defined and processes in place allow you to pivot your strategy quickly to adapt to new situations. No one can predict the future, but organizations can – and should – plan for high-impact possibilities. It may seem advisable to focus on high-impact/high-likelihood risks, but as the current situation has proven, it’s well worth your time give some attention to high-impact/low-likelihood events, such as a pandemic.

Cybersecurity concerns in a work-from-home world

Now that many employees are working from home, one of the most obvious risks facing many organizations is cybersecurity. While your best defense against cybersecurity threats is still simply to train your employees to be suspicious, working from home opens the door to organization-wide cybersecurity risks through personal devices, home network security, and virtual private networks (VPN) for the simple reason that all risks on home devices get transferred to your corporate network.

Every business is different in terms of complexity of infrastructure and types of systems used, of course, but the following are some of the major trends and emerging threats to be aware of in the new environment:

• Internet of things (IoT): Internet-connected devices throughout employees’ homes – including items such as thermostats and baby monitors – all have their own operating systems that are ripe for exploitation by hackers because they are rarely updated. Depending on how your VPN is configured, it’s easy for hackers to get access to employees’ home networks, and from there, the organization’s network.
• Phishing: Bad actors capitalize on people’s fears and current headlines in order to steal employees’ credentials and launch ransomware.
• Insider threats: Working remotely has meant a lot of internal controls have been temporarily loosened. As organizations try to get around not having the resources to share data securely (e.g., through the use of thumb drives and external file sharing), there is a lot of unintentional data leakage.
• Supply chain risk: Layoffs and furloughs affect your service providers too, including the level of service you receive from them, which affects the strength and quality of your network security.

For an in-depth guide to good remote work practices, we recommend the National Institute of Standards and Technology’s "Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46).”

Fraud risk as an integral part of ERM – especially in a crisis

Organizations are particularly susceptible to fraud in a crisis because fraud relies on deflection and distraction. Simply put, people behave differently in a crisis – they are motivated by emotions and follow different lines of reasoning than in normal times. That includes the bad actors as well as the good.  

Crises also tend to inhibit fraud detection activity because people are focused on other things – for example, meeting sales targets or more obvious risks like cybersecurity – when in fact, fraud potential may have increased. It’s no surprise that bad actors will take this as an excuse to exploit others’ distraction.

Individual behaviors in a crisis do not correspond to everyday life behaviors, which should be worrying for organizations. During the financial crisis in 2008, anxiety, confusion and disbelief lead to poor and unethical decisions, often with the justification that the action would happen “just one time.” That one time, of course, can have profound consequences, especially if multiple people are making multiple bad choices in an already risky environment.

So as we continue to move into a world of remote work, what can organizations do to mitigate the risk of fraud?

• Continue your ethics and compliance training: Send good messaging from your senior leadership regarding your values and mission to ensure your employees understand where you stand as an organization and are aware of how you expect them to act.
• Continue internal audits: While the urge may be to cut your focus here, now is not the time. There are many monitoring and oversight activities that can be done remotely.
• Continue exit interviews: Exit interviews are a huge opportunity to uncover certain risks you may not know about, which is especially important in a crisis environment

One final risk relates to organizations with leaders who are incapacitated by COVID-19 or helping family members who are sick. If the organization lacks qualified people in those leadership positions, over-reliance on skills and capabilities for people who are filling a leadership void can be problematic for organizations.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.