Should You Conduct a Covid-19 Specific Risk Assessment?
Much like yourselves we’ve been busy since Covid-19 hit our shores. As a team of consultants offering a broad range of skills and experience in the realms of strategy, risk, compliance, performance management, business operations and information assurance we have been providing clients with guidance and hands on assistance in a number of key areas, most notably Crisis Planning and Management (e.g. managing the organisation’s pandemic response, providing strategic and operational capacity, and assessing business impact), Workforce Planning (e.g. modelling the impact of extended periods of home working and widespread absence, and the implementation of tools to improve connectivity, engagement and effectiveness of home working solutions), and Information Assurance and Cyber Risk (e.g. assessing associated risks of utilising new and widely distributed technology solutions, ensuring the cyber security of home working solutions and practices, and introducing controls to reduce the threat of new risks introduced as a result of the ‘new normal’). It’s been a challenging but interesting few weeks…
As the dust settles on what we’d see as Phase 1 of the economy’s response to the pandemic – successfully manoeuvring organisations and mobilising their workforces to ensure some level of business continuity is maintained despite the constraints imposed through implementation of restricted movement policies, it is perhaps a good time to shift focus onto an assessment of those ongoing risks that the pandemic will continue to throw up. How are we supporting our clients in developing and implementing frameworks to manage these?
There are times when a universal risk assessment for your organisation may not provide the necessary granular level of detail required in specific instances to make it a truly effective tool for protecting the best interests of the business and the individuals within it. A good example of a more granular approach to risk that we already see prevalent within the finance industry is of course the existence of Anti Money Laundering (AML) specific risk assessments, that sit alongside the more general Business Risk Assessment (BRA). And so the question that has arisen over the last few weeks is whether or not there is value in, or indeed a need for, developing a Covid-19 focussed risk assessment?
We think the answer is a firm yes, for two very good reasons. The first is that with something as extraordinary and monumental as a global pandemic it is very likely that time spent previously considering the risks associated with it were minimal at best. We’d possibly like to kid ourselves that we had this one covered, but I’d argue that the majority of us simply never thought it would happen, and therefore gave it very little attention. Some things are just too big or absurd to consider… We’ve seen a few risk registers in the past that make mention of a pandemic, but you can be certain that although the impact may have been assessed as high, the probability would have been rated as unlikely at worst. So this in turn means that generally speaking businesses hadn’t really considered whether they had the controls in place to mitigate such a colossal risk in the event it became a reality. And that reality is now upon us. Very few people apart from perhaps those at the WHO could have predicted the sheer extent of the impact we are now experiencing, without sounding like fantasists or doomsayers. And just because it’s happened and we’re now living the reality doesn’t mean that all associated risks are now in the past – this is essentially why we believe conducting a Covid-19 risk assessment has significant value at this point in time.
The second reason is that for the first time we are seeing auditors (including certain Big 4 firms) raising specific Covid-19 concerns in relation to the ‘going concern’ nature of businesses, and withholding sign off on accounts until such time as an organisation can demonstrate a suitable risk assessment has been carried out, with risks identified and effectively assessed, suitable controls detailed, and with remediation actions outlined where appropriate or necessary. This will be a concern for many businesses, and perhaps particularly within certain elements of our local finance industry, as the inability to demonstrate auditor confidence would necessarily lead to a review of finance arrangements, amongst many other factors.
The approach we’ve taken in assisting clients to date is initially to help define a number of key risks that the business faces. These may already have been highlighted in the case of an audit query, or we can apply our knowledge and experience to suggest worst case scenarios and identify the risks these would represent. Typically these will be focussed around such areas as the impact of home working on productivity, the organisation’s resilience in the likelihood of long term or widespread absenteeism through illness or the provision of childcare, the availability of critical external business partners, the risks associated with the rapid adoption of new technology solutions, the likelihood of additional costs associated with the Covid-19 business continuity response, and so on. We would then look to attach existing organisational controls to these risk, in order to mitigate them as far as possible, but where controls don’t exist the development of actions with clearly defined owners and deadlines is critical in ensuring that the business develops the necessary robustness against the potential ongoing effects of Covid-19.
We have undertaken this with the help of a low cost Governance, Risk and Compliance (GRC) tool that we introduced into the island at the start of 2019, which is once again proving its worth in the current environment and lends itself perfectly to such a ‘project based’ analysis of risk. Although implementation of the solution is by no means essential, by building out the specific risk analysis within it we are able to more easily link threats with risks, and risks to controls and actions. Assessing risk according to whatever methodology the organisation most favours is a simple undertaking, whilst a heat map provides an effective graphical snapshot of the level of risk at play and in conjunction with the organisation’s risk appetite can be used to ascertain whether tolerances have been breached. Evidence for the existence and effectiveness of controls and policies can be uploaded, and as you would expect reports can be produced drawing together all of the relevant information around risks, controls, actions and owners. In all, a comprehensive, self contained assessment of the organisation’s preparedness for the very real risks that this pandemic has already thrown up and most likely will continue to do so.
If, as we do, you think that this should be an essential part of your Covid-19 response strategy then we would love to hear from you. It’s likely to be time very well spent.