The COVID-19 pandemic has forced businesses of all sizes to navigate new ways of doing business on top of dealing with immediately pressing cash flow concerns. This rapid shift in priorities has left many organizations more vulnerable to certain risks. In Baker Tilly’s webinar, Crisis, continuity and recovery: a real-time enterprise risk workshop, our specialists discuss how organizations can identify and mitigate risks in real time with special attention to cybersecurity and fraud risks.
While the immediate fallout from COVID-19 is beginning to level out as organizations and employees settle into the new normal and aid is being made available by the U.S. government, the risks associated with the situation are still very much ongoing. The first step to mitigating any risk is identifying it, which is where enterprise risk management (ERM) can help.
ERM is concerned with how you manage your business’s risk every day – not just during a downturn – and making that process more transparent to your leaders by formalizing it. During a downturn, it can certainly be difficult to focus on more than the negatives of the situation, but some organizations are discovering opportunity (the upside of risk). ERM can help you identify both.
While each organization’s ERM program is going to be different, the basic structure should consider the following process:
Broadly speaking, it’s important to note that having your risks defined and processes in place allow you to pivot your strategy quickly to adapt to new situations. No one can predict the future, but organizations can – and should – plan for high-impact possibilities. It may seem advisable to focus on high-impact/high-likelihood risks, but as the current situation has proven, it’s well worth your time give some attention to high-impact/low-likelihood events, such as a pandemic.
Now that many employees are working from home, one of the most obvious risks facing many organizations is cybersecurity. While your best defense against cybersecurity threats is still simply to train your employees to be suspicious, working from home opens the door to organization-wide cybersecurity risks through personal devices, home network security, and virtual private networks (VPN) for the simple reason that all risks on home devices get transferred to your corporate network.
Every business is different in terms of complexity of infrastructure and types of systems used, of course, but the following are some of the major trends and emerging threats to be aware of in the new environment:
For an in-depth guide to good remote work practices, we recommend the National Institute of Standards and Technology’s "Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46).”
Organizations are particularly susceptible to fraud in a crisis because fraud relies on deflection and distraction. Simply put, people behave differently in a crisis – they are motivated by emotions and follow different lines of reasoning than in normal times. That includes the bad actors as well as the good.
Crises also tend to inhibit fraud detection activity because people are focused on other things – for example, meeting sales targets or more obvious risks like cybersecurity – when in fact, fraud potential may have increased. It’s no surprise that bad actors will take this as an excuse to exploit others’ distraction.
Individual behaviors in a crisis do not correspond to everyday life behaviors, which should be worrying for organizations. During the financial crisis in 2008, anxiety, confusion and disbelief lead to poor and unethical decisions, often with the justification that the action would happen “just one time.” That one time, of course, can have profound consequences, especially if multiple people are making multiple bad choices in an already risky environment.
So as we continue to move into a world of remote work, what can organizations do to mitigate the risk of fraud?
One final risk relates to organizations with leaders who are incapacitated by COVID-19 or helping family members who are sick. If the organization lacks qualified people in those leadership positions, over-reliance on skills and capabilities for people who are filling a leadership void can be problematic for organizations.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.