Rebooting grc for covid-19 pandemic: The road less travelled
Dr. Emmanuel Moore ABOLO is the President, Institute for Governance, Risk Management & Compliance Professionals/GMD, The Risk Management Academy Limited.
There is a popular Ghanaian proverb that says: when the sea dries up, the sun should share in its shame’’. And ‘’an animal that eats thorns must know how to digest them in its stomach’’. Clearly, we all were caught pants down by Covid-19 so there is no need for finger-pointing!
Many businesses shy away from identifying and considering how to deal with uncertainty, or risk, in their business. It is often perceived as an overhead and pessimistic; but it is key to survival when things go wrong.
According to Marya Mannes, ‘’the sign of intelligent people is their ability to control their emotions by the application of reason”.
Let us quickly remind ourselves of these facts:
The 20th century witnessed two epidemics since the historic ‘Spanish Influenza’ of 1918: the ‘Asian flu’ of 1957 and the ‘Hong Kong flu’ of 1968. The 21st century has seen four pandemic outbreaks: N1H1 in 2009 (‘bird flu’), Severe Acute Respiratory Syndrome (SARS) in 2002, Middle East Respiratory Syndrome (MERS) in 2012, and Ebola which spiraled in 2013-14.
The Covid-19 may, in fact, be as contagious economically as it is medically. The IMF says it sees “more dire” possibilities ahead for the global economy.
Just a couple of months ago, the global economy seemed well on the way to a pleasant recovery; trade and political tensions were seen as “not so bad”, growth projections were rubicund, and financial markets were vivacious. Now all bets are off. As COVID-19 spreads around the globe, it has become clear that it has the potential to derail the global economy.
The US, China, Japan, Germany, Britain, France, and Italy alone account for:
• 60% of world supply and demand (GDP);
• 65% of world manufacturing; and
• 41% of world manufacturing exports.
These economies – especially China, Korea, Japan, Germany and the US are also part of global value chains, so their miseries will produce ‘supply-chain septicity’ in virtually all nations. So we need to understand what is ahead of us.
When it comes to responding to risk during a global crisis, you could take the approach of reacting to the events as or after they happened. Or, using your data and a strategic risk-based approach, you could create a longer line of sight to see the risk coming, and act to moderate it.
There are several areas where the GRC professional could be pointing his/her efforts by using organizational data to uncover hidden and evolving risks.
Here are some key questions/issues for the GRC professional while engaging with other stakeholders in the organisation:
• Have you reviewed your exposures holistically?
• Have you reviewed your GRC policy for coverages?
• Have you reviewed and tested your Business Continuity Management plans? How can you contribute meaningfully to BCP?
• Have you considered the implications to supply chain and have you identified other suppliers? That is, have you identified alternative sources of supply that may be implemented on short-notice?
• Have you worked with HR to establish corporate procedures for relocating employees and replicating their workflow at another location?
• What risks have emerged (such as heightened cyber risks due to a remote workforce or a third-party response to the pandemic) that need to be addressed, and are there protocols in place to report, aggregate and analyze emerging risks as the situation evolves?
Let us now focus attention on some key areas that GRC can address holistically:
Workforce health: How can you ensure that your company keeps employees safe and happy? This is a very broad area, very much based on what the organisation does, where it is done and what systems and equipment are used.
• Is the company currently mandating that employees work-from-home (WFH)?
• Do we have a self-reporting tool?
• Do we need to provide facility access?
• Are our remote workers properly equipped? Is your company ready to provide enhanced cleaning facilities and materials?
• How can your organization reduce unnecessary personal gatherings, like training courses, meetings and conferences?
• How can your organization use video and audio conferencing to hold events and meetings?
• How can you make sure current health guidance is well known, understood and applied across the enterprise?
• Have you commenced amendment of your organisation’s processes and procedures to reflect new legislation and guidance (e.g. absence and sickness reporting)?
• How are your organisation’s employees feeling overall?
Workforce effectiveness: Are your organisation’s employees maintaining productivity?
The sudden shift to working from home would challenge management throughout many industries, including banking and financial services. A crucial concern is that employees used to collaborating face-to-face throughout the workday can experience less productivity and effectiveness when in-person collaboration is not possible.
This challenge is exacerbated in industries which require a quick response from the employees. GRC issues are a good example as risks need to be detected and mitigated as quickly as possible.
The managers have a firm grasp over their team when the team is working in the office. They can go talk to the team and provide direction and support, they can see the team working, and they can intervene wherever needed.
When employees are working from home, the managers’ visibility into communication, tasks and issues is limited. The following questions must be addressed:
• Are we adjusting the way we work in this new WFH reality, with things like daily stand-ups or virtual water coolers?
• Do we need to reassess our vacation policy?
• Does our compensation strategy need reviewing?
• Are employees working on the things that will move the needle?
Communications: Are we updating employees, partners, customers, and vendors regularly?
• Are we ensuring our internal and external communications are open, that we’re being authentic and maintaining credibility?
• Is there a single source where all employees can go for updates?
• Are we reassuring customers of our continuity, sharing our Pandemic Preparedness Plan [if any]?
Customer continuity: How is customer activity changing over time?
• Are customers still using our software as frequently?
• Are new businesses continuing to flow in?
• Are new projects being started with the same consistency as before?
Third-party continuity: How are partners, vendors, and other third parties managing?
Financial contingency: Are we forecasting and adjusting correctly?
• Are revenues trending into negative territory?
• Where can we cut back on discretionary spending?
• How are our competitors faring?
• Are there any opportunities for mergers and acquisitions during this time?
Security: Are the organization’s assets protected against new risks such as cyber-attacks?
Reputational monitoring: How can we continue to ensure the organization’s reputation isn’t at risk?
• Are we monitoring social media for customer sentiment and satisfaction levels, and responding before issues escalate?
• Are we being agile and responding to customer/client concerns quickly?
• Are we reacting appropriately? If there’s an existing crisis plan, are we following it, and if not, how are we developing/implementing one?
Providing answers to the above questions require an agile and integrated approach to GRC. We must, however, note that GRC doesn’t stand still.
Just as markets and businesses evolve, so too do GRC capabilities, processes and technologies. Across organisations around the globe, executives are focused on cost reduction, efficiency acceleration and productivity improvement and in the GRC world, the same applies.
Innovations advance GRC tools and methodologies all the time to equip organisations to protect business value better, deliver efficiency improvements and drive stronger performance.
GRC technology helps organisations to access and organise data and use it to be prepared, to take action in all of the areas we have highlighted above and to capitalise on opportunities.
All organisations require effective GRC programs. The ones that will gain an edge are those that can anticipate and respond proactively to the shifts and potential risks in internal and external environments. Turning GRC into a business advantage can catalyze corporate performance.
Often, activities apply to multiple commitments across functional areas. The inability to formally tie activities to commitments hinders inter-functional coordination, resulting in business silos and duplication of effort. This must be the road less travelled.
It’s easy to focus on the fear and gloom of this crisis. There is a lot of work going on and it may well be controlled and eliminated just as SARS was in 2004. However, having a GRC plan to cope is no bad thing.
By adopting a standardized and objective best-practice integrated GRC methodology, the organisation can better be able to identify the overlapping activities, prioritize actions, and help make more informed decisions.
If we are fully prepared for surprises, we will avoid shock and knee-jerk reactions. Perhaps this is a great opportunity to prove that integrated GRC is a worthwhile business process. Let it not be the road less travelled for “a toad will realize the importance of water only when the pond gets dry”.