A recent survey from Compliance Week and Riskonnect of 261 compliance and audit professionals found that half of the respondents were not prepared for the coronavirus pandemic with an updated crisis management plan.
While COVID-19 impacted many firms’ governance, risk, and compliance (GRC) data management processes, just 41 percent said they had an up-to-date crisis response plan in place, and the remaining 9 percent were uncertain.
More than one third of survey respondents (35 percent) said that a pandemic or similar global crisis risk event was not on their radar of potential threats. Another third (36 percent) said it was on their radar, but not to the magnitude that it would eventually blossom. Only 10 percent said a global pandemic of this magnitude was on their radar for potential threats.
Bob Bowman, senior director for risk management at The Wendy’s Company, indicated the fast food chain had a solid plan in place to deal with the effects of the coronavirus pandemic on its business.
“We envisioned, and our incident response plan encompassed, various scenarios that share a number of characteristics with the current situation,” he said. “In addition, our incident response plan, and our incident response team, utilize a robust response framework that equips us to respond in a very agile manner, relying on a foundation of familiar roles and responsibilities which we quickly refine to meet the specific challenges of the situation.”
One thing Wendy’s didn’t see coming was the length of time the pandemic would continue to affect its core business, he said. The company has continued to handle what he termed “short-term crises” while simultaneously responding to the long-term health crisis.
“… One of the more significant difficulties associated with the COVID-19 event is endurance and the challenges associated with having the incident response team actively convened for a period of months, as opposed to the limited duration that’s more common,” he said.
Respondents to the survey were mostly from large companies, with 30 percent working for organizations with more than 10,000 employees and another 30 percent working for firms with between 1,000 and 10,000 employees.
Nearly half (48 percent) of the compliance professionals who replied to the survey said the pandemic revealed a need for improving GRC processes and technology within their organizations. The rest were split between being uncertain (26 percent) and saying it did not reveal such a need (26 percent).
“We talk about blind spots and ask our clients, ‘What can you do to become a more resilient organization?’” said Andrea Brody, Riskonnect’s chief marketing officer. A key step toward building resiliency, she said, is for companies to ensure that its GRC processes are aligned throughout the organization, taking into account its corporate culture and including all its stakeholders.
Once those GRC processes are aligned, companies can then leverage technology that allows for cross-integration. “You can’t do that, though, unless everything is integrated,” she said.
Another area in which companies said the pandemic exposed weaknesses was in their data. More than half (52 percent) said their data resides in multiple sources and needs to be pulled together manually. An additional 11 percent said their data is siloed across the organization and is therefore difficult to pull together. Another 8 percent said they don’t know where all their firm’s data is stored.
With regulations like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Protection Act (CCPA) in the United States, firms have more incentive than ever before to centralize their data collection and data storage processes, Brody from Riskonnect said.
All of a company’s data should be stored in a central repository, so that data breaches and other cyber-security threats can be addressed quickly, she said. There is software available that creates a framework that allows companies to immediately know which data was compromised by a breach, allowing for a quick assessment of the potential damage to your firm, internally from an operational perspective and externally for dealing with other stakeholders like customers and regulators.
“Once you have your data integrated into a framework, you can see the impacts the event has on your entire organization including people and processes,” she said.
One positive to emerge from the coronavirus pandemic was that their ability to lead was tested and they performed admirably, survey respondents said. A full 73 percent said their ability to provide leadership with timely risk and compliance-related data was good or very good, while another 20 percent said it was fair.
When asked about the most difficult crisis response issue for their employer, answers from compliance and audit professionals were all over the map—but most had to do with keeping the business running. The top issue was the rapid rollout of workforce options, including remote work (24 percent), followed closely by keeping up with coronavirus-related regulatory changes and guidance (22 percent) and assessing and mitigating third-party risks associated with their supply chain and vendors (18 percent).
Brody says many firms made the mistake of thinking about business continuity as “everything after the fact.” The pandemic flipped that thinking on its head, she said.
“It’s really less about business continuity and more about operational resiliency,” she said. “It’s a lesson learned—a painful lesson, absolutely—but there’s some good to come out of this. Now all of the risks are on the radar. It should encourage companies to create a more risk-aware culture.”
One of the survey questions asked if the compliance and audit professionals responding to the survey were part of their organization’s crisis management team. More than half (57 percent) said no, and 40 percent said yes.
Brody said the pandemic has raised the awareness of the risk function within organizations, and perhaps has elevated its profile as well.
Every board and every CEO should be able to come to work every day and ask, “What is our risk profile today?” she said. Doing so requires the establishment of a crisis management team with representation from all segments of the company, ideally with strong support from the C-suite.
“There is a lot at stake if the company can’t answer YES to that one question. The impact of lack of visibility into this will be felt from the top to the bottom and transcend across the board, management, and stakeholders,” Brody said. “Taking an integrated approach to risk management should be more than a compliance mechanism. COVID-19 has proven that risk management needs to be an integral part of the organization’s culture, strategy, and day-to-day business operations. Today’s environment demands that boards and the C-suite need to step up their game with an intense focus on risk management.”