Companies everywhere are racing to retool their risk management operations to address Covid-19, and I’ve been on a quest to find as much guidance as possible to pass along to everyone else. The GRC software firm Galvanize (formerly known as ACL) just hosted an emergency webinar to talk about how it’s trying to cope — which I eavesdropped upon, so let me pass along its most relevant tips here.
The Galvanize team spent last week developing eight objectives for operations during a pandemic. This is what Galvanize is using internally, and the objectives make just as much sense for any other business. (As soon as Galvanize has a URL for its webinar today, I will add that here.)
In order, those objectives are…
1. Workforce health. Do you understand the physical health of your workforce? Do you know of all employees who either have covid, or covid-like symptoms? Do you know where they are in the world, and are any trapped in locations where they need help getting home or getting access to the company and its networks?
2. Workforce effectiveness. Do all employees have proper access to the tools they need to work during the pandemic? If some employees must work from home, do they have the necessary computer equipment and network access? If others are essential employees for a physical location, do they have proper permissions to reach the site? Will payroll continue to put money into employees’ accounts? (Say, for example, if some employees still collect physical checks.)
3. Customer continuity. Do you understand what your customers and sales prospects are doing at this moment? Are you closely following any RFPs or contracts currently in negotiations? Can you monitor how your customers are using your product, and if those usage levels are changing? Can you monitor their engagement with your products? Have you provided means for customers to ask questions about your operations?
4. Financial continuity. How is the finance team monitoring cash flows? How are you measuring and watching liquidity risks? What are the most important metrics to watch for financial flows, such as contract renewals? How is the company speaking to investors? And, yes, even now — are you watching the competitive landscape for potential merger or acquisition targets, if those targets are weak?
5. Vendor and partner continuity. First, talk to your key suppliers and assess their operations and continuity. (In the ideal world, you’ve already had a SOC 1 audit on your key suppliers, which assesses how well they govern their third-party risks.) Then turn to business partners, resellers, or other local agents to assess their continuity. (This is especially true if your business relies on overseas sales.)
6. Communications. With whom? Well, everybody: employees, customers, business partners. You might need to develop new communication strategies that work digitally, and you may need to shift the tone of the messages — say, from sales and recruitment to loyalty and stability.
7. Security. Do you understand how the pandemic changes security risks for your operations? That includes cybersecurity with more people working remotely, and even physical security if you have plants or offices that will be shut down for long periods.
8. Reputation monitoring. After the first seven objectives, you still need this eighth objective to see whether those first seven are keeping the business afloat. So you might need to conduct more employee or customer satisfaction surveys, more phone calls to key clients, or even media monitoring to see what others are saying.
Pandemic Risks and Response Controls
Risk management teams also need a risk management framework for pandemic risks and the controls you’ll need to implement in response.
First, of course, you need a pandemic risk framework. The World Health Organization has one, but that document is geared more for public health authorities. As I mentioned in a post last week, corporations are still struggling to translate those public health documents into something we can use here in the private sphere.
Anyway, we can at least start with WHO and its threat scale, which goes from 1 (low pandemic threat) to 4 (highest threat, which is where the world already is). Then you can start to assign some response controls to the threats, and form implement some version of a pandemic response plan.
For example, if we were at Level 1 on the WHO scale, you might implement responses such as removing employees from high-risk areas or confirming availability of attentional network capacity. At Level 3, you might be imposing tight controls on visitors to outside facilities, activating a sick hotline for employees to report illness, and disinfecting common areas nightly. At Level 4, everyone is working from home.
If your corporation is large enough that you’re using risk management software like Galvanize (or LockPath, or Riskonnect, or AuditBoard, or whoever), then it’s a safe bet those vendors are racing to bring you more pandemic-relevant material. Here in this post, I just want to focus on the abstract workflow:
- Find a pandemic risk framework.
- Develop appropriate response controls.
- In a perfect world, test those controls. Here in our real world, implement them now.
As to the original eight objectives above, remember that a lot of what you want to do there is monitor continuity of operations and relationships — with employees, with suppliers, with business partners, with cash flows. Think about how to do that; what metrics will tell you useful information, and that you can monitor as closely as possible.
For example, if you provide tech services, monitor how your customers use your services. Maybe they’re logging in less often, or they’re using the services in unusual ways. That could tell you something, so you need to figure out how to monitor that behavior.
Likewise, with employees: monitor how they use the corporate network and how they interact with other business functions. How often do they access the network? How often do they submit tickets for tech support? What applications are they using, and for how long?
If you want to assess continuity, you need to monitor. That might be new territory for some audit teams, that only do point-in-time audits.
DISCLOSURE: I do work with Galvanize, where the company pays me to contribute occasional blog posts, white papers, and other materials. Galvanize did not pay me to write this post. (They don’t even know I wrote it.) Nor is any of this an endorsement of Galvanize products, since my media empire of one doesn’t use audit management software.
The points Galvanize raises, however, are good ones; so I pass them along here.