In many ways, the COVID-19 pandemic has served as a prime example of punctuated equilibrium. Shifts that have been slowly building for decades seemingly occurred overnight, giving us the contradictory sense that these changes were simultaneously long overdue and far too sudden – generating new anxieties over well-worn risks.
That is definitely true of the of the shift to remote and hybrid work. Despite being told for years that remote work is “the new normal”, most businesses were caught off-guard when the pandemic forced large segments of their workforce to suddenly start working from home, leading to new risks – and anxieties.
As organizations begin planning for the transition from temporary work-from-home (WFH) to more permanent hybrid and remote work environments, they will have to deliberately review how they identify, define and respond to risk. This will mean revisiting acceptable risk thresholds, cultivating a culture of compliance, and breaking down silos to craft cross-functional solutions to both long-standing and novel problems.
As companies quickly transitioned to WFH, their risk increased significantly. PwC’s article, “COVID-19: Making remote work productive and secure” acknowledges that while some companies had modernized infrastructure and training in order to transition quickly, others emphasized “connectivity first” in their initial response – ultimately compromising on security.
Risk professionals must help leadership understand that risk acceptance is a critical part of doing business.
NAVEX Global had many accommodations for remote work already in place, including laptops and technology infrastructure. We operate out of multiple office locations, in addition to employing many remote workers. We also have an exemplary sales and services staff familiar with traveling the world in support of our customers.
For many, however, a quick transition to remote work wasn’t that easy or that simple. Organizations and their employees became intimately familiar with the best virtual meeting technologies – for better or worse. And without a virtual phone system, employees became even more reliant on their cell phones, further expanding BYOD risk throughout companies.
Many countries enacted significant changes to their laws and regulations to better support remote employees. NASSCOM, India’s National Association of Software and Services Companies, and Indian authorities moved quickly to relax regulatory restrictions, enabling call center staffers to work from home. Harvard Business Review’s article, “Our Work-from-Anywhere Future,” provides further examples of the Canadian government’s involvement in assisting economic migrants.
We have generally seen that as the risks of conducting business during a global pandemic have increased, so too have organizations’ level of risk acceptance. However, many businesses still invest considerable resources in reducing risk. The workload just to accommodate WFH modeling was extensive, and much of it was dedicated to risk mitigation. While executive leadership is keen on reducing risk, risk professionals must help leadership understand that risk acceptance is a critical part of doing business.
Accepting Risk and a Culture of Compliance
Every company in the world understands there is a certain level of risk in doing business. Each company must also decide:
- The threshold for acceptable risk
- The amount of time and resources that should be dedicated to risk mitigation
- When to turn to compliance after determining the level of risk acceptance
Treating compliance with a “checkbox” attitude can have devastating consequences. Successful compliance requires a day-to-day, cultural approach where all employees play a part in maintaining the security and compliance of the organization.
When you have meaningful, effective controls and policies in place across the organization, your risk tolerance becomes clearer and more deliberate. This kind of behavior necessitates committees, regular meetings, training, and the encouragement of employees to self-report issues – a concept you can read more about in a current customer’s case study.
In a recent Forbes article, Mark Nevins points out the “most compelling reality” in any organization is that humans are the weakest link in their security. Addressing this reality means cybersecurity must not be thought of as a cost center or be treated as an afterthought. Again, security needs to be engrained in the culture of an organization. Once a robust program is implemented, the company cannot rest on its laurels for having dedicated resources. Effective cybersecurity and risk management require continual diligence and dedication.
Ongoing training and courses that require annual sign-off are required and often effective, but companies must take that further. Create a culture of compliance within your organization that promotes security as part of the expectation and supports the conversations necessary to help educate your teams. Over time, this approach will mitigate more risk, save you more money, and better protect the enterprise.
Integrating Risk Management With Compliance
When compliance and IT discuss issues like WFH, it’s easy to fall into the trap of talking about risk registers, risk and control matrices, and everything that can go wrong with vendors. Most organizations, however, don’t start by thinking about the risks – they begin by reviewing their policies, regulations, and hopefully their controls. Ultimately, the two sides work together. While some risks are inherent in doing business, many others appear because of a gap on an assessment, or a control that isn’t effectively managed. Likewise, many controls are born from a need to mitigate one of those pesky risks.
Corporate compliance is a complex area to maintain. Integrating risk management across the organization is a difficult task. Too often, even the best of intentions fizzle out quickly, leaving departments siloed and stakeholders across the company to wonder, “what went wrong?” The most effective programs prioritize efforts to enhance risk management and tell the story that blends risk and compliance. Here are some areas to consider if you are getting started:
- What authoritative sources of information do you seek to comply or align with?
It’s great if you have internal controls, and it’s phenomenal if you have your risk register completed. If you aren’t there yet, start with what’s mandated – PCI, HIPAA, SOX, etc. All these regulatory bodies have clear controls and tests of those controls that you can start validating immediately. You’re probably adhering to these regulations already; now you need to identify gaps you have across the organization in meeting those expectations. Determine which issues can be completely resolved, and which risks are acceptable to your organization.
- Do you have an organizational risk methodology?
How are you tracking and managing your risk? Do you have a process for evaluating and scoring? Either way, establishing a risk and compliance committee is a must. Bring in heads of relevant programs like the General Counsel, Chief Compliance Officer, Chief Information Security Officer, IT Management, Vendor Management, etc. Risk Management is a long-term investment in the well-being of any company. Start building meaningful models with the leaders at your organization and build that culture from the top.
- Pick one process to focus on.
Risk management is fluid and complex and can’t happen overnight. Do you want to improve your process for requesting and accepting new vendors? Do you need a better asset library? Do you have an upcoming audit where you can dig in on the control reviews? Continually focus on making things better, not making things perfect.
Bridge the Gap
Years ago, cybersecurity, compliance and risk management were often addressed by a checkbox approach – and for some, it still is. But in an era increasingly dominated by remote and hybrid work environments, that mindset is demonstrably inadequate. In today’s world, we seemingly cannot go a day without hearing about the last data breach, usually at a company large enough to even enter the news cycle. Compliance is critical because it is designed to combat all the risks of running a business – every business.
Within Integrated Risk Management, we tend to underestimate how much time we need to spend with compliance professionals. The two sides of the business can end up segmented, but are naturally intertwined. Breaking down those walls between teams creates a more meaningful culture and program within the organization.
In IRM consulting, you often recognize that there is tremendous potential for new programs if all parties invest their time and energy into establishing process and priority. It can be a hard sell when people already have consuming jobs with full workloads. Intentional decisions at an organizational level will not only drive the desired outcomes but shift your mindset to a culture of compliance.