Risk Management - Companies Feeling Exposed

After the initial shock of the lockdown, people and businesses are increasingly frustrated with the confusion across various countries and states resulting from the COVID19 pandemic. The global economy has taken a tremendous hit and like my colleagues and clients, I am finding it challenging working in isolation. Zoom, Team and WebEx and other remote working applications while great alternatives, do not make up for direct human interaction. Based on current information this situation is likely to be the new norm for a while.

In order to keep my sanity in check, I have been discussing with businesses, peers and fellow practitioners what the top three things are they are concerned about or would do differently as a result of the pandemic.  The single most common thread across the groups has been the lack of planning, however, the two largest risks that they felt exposed to were remote infrastructure and training.

For example, many did not have adequate infrastructure to allow at least 50% of their workforce to work from home. Whilst this may highlight a poor understanding of business impact analysis (BIA) regarding their business continuity and disaster recovery plans, in all fairness, many may have attributed a very low likelihood of occurrence for pandemic scenarios to materialize. No doubt this would have been a question of balance and where to efficiently allocate often limited budgets. The conversations also revealed that for the next few years, all of them are anticipating significantly increasing spending on remote access infrastructure. An integral part of this decision will be the need to address and incorporate vulnerability management resulting from personal devices being used to connect to corporate networks.

Training was another area highlighted by the group where they felt the most exposed. In one scenario formal training was only provided to person(s) who normally ran a key process but with 50% of the team unavailable due to the pandemic, the challenge and exposure were vastly underestimated, especially if it was a key process in preserving human lives. A related critical fact that has come to light regarding internal training is the lack of documentation. Most technical people I know, hate to document processes and procedures. Trying to conduct internal training without formal documentation is like trying to drive somewhere new without a map.

As the process to peel back the layers has already begun in earnest many are starting to form their risk influence map (RIM), something that I have espoused for many years.

Our mission is to help the business community to get through these challenging times. Let us know what you have found to be essential in managing critical situations. Email us at contact@maclear-grc.com.