Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.
A risk event has a domino impact on the organization. What starts with one domino of risk has a cascading impact on other risks. Consider the current global crisis and pandemic of COVID-19. It started as a health and safety risk coming out of Asia. However, it has a cascading impact that causes other risks to materialize and change that impact the organization. It cannot be managed in isolation but has to be understood in the complex web of interconnections of risk and objectives that play out from it.
What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. Consider the following:
- Risk to objectives. As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic. This plays out from the economic and business impacts of the virus.
- Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes. Business continuity in many organizations had an isolated focus on IT security and disaster recovery and was not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global people virus. As employees were cut, processes were changed, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure.
- Risk of information security. With the focus on supporting a broad work from home strategy, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, vendor, or TV in the employee home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data.
- Risk in third party relationships. It is typical that half of the organization is not traditional employees. Brick and mortar walls and employees no longer define the organization. Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
- Risk of company culture and control. With rapidly changing processes to address the pandemic, the organization is lacking controls or navigating around controls. With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
- Risk of fraud. In uncertain economic times and the unfolding of a recession, employees are under more stress to make ends meet. Employees who might never think of stealing/committing fraud during normal times may choose the wrong path when faced with the economic stress and uncertainty they now face.
- Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others. Or to get specific contracts or permits at a time when not much is being done.
- Risk of modern slavery and human rights. We see the unrest of human rights all around us right now. What was an issue before the pandemic has exploded further because of the pandemic. But it goes beyond civil rights and treatment of people groups by those in authority, it also extends into our facilities and supply chains. The pandemic has hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there is increased staffing with child or forced labor and unwanted working conditions.
- Risk of harassment and discrimination. Unrest is abounding. Stepping beyond the protests right now, there was growing discrimination happening because of the virus and a focus of anger on ethnic groups (particularly Chinese where the virus started). People working from home and not in normal office conditions, do not understand that the same rules apply. Communications such as email, text, video calls have become more relaxed and individuals are crossing boundaries and making statements that are sexual harassment.
I can go on and on and on. I have not touched privacy risk, compliance exposure and inability to meet compliance requirements because of changed business processes, and so much more.
The point is that risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacts. I personally love bow-tie risk analysis to explore these connections and relationships.
Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions. Good risk management will also bring together both risk quantification and qualification and it requires left-brain structured thinking as well as right-brain creative thinking on risk and impact. Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.
Upcoming Webinars . . .
- June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17
- June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18
- June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18
- June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24
- June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30
- July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]