COVID-19 has us reeling from health, social, and economic shocks, but this isn’t our first global crisis. It is, however, the first in which cybercrime plays a starring role.
The world has faced several pandemics in the past 100 years—several influenza pandemics including swine flu (H1N1) and Avian, or bird, flu, and HIV/AIDS—as well as economic depression and a number of recessions. Life and business tend to suffer disruptions during crises, but at least one thing holds true: the need to comply with laws, regulations, and industry standards.
This time, though, compliance is different. Regulations addressing cybersecurity and data privacy are now in the mix, and the rapid shift to work-at-home, telemedicine, and digitization of operational and consumer services have made security and compliance particularly challenging.
Suddenly, the boundary that surrounded on-premises technology and cybersecurity, protected by firewalls, has exploded. As data and networks move to the cloud at an unprecedented pace, malicious actors are probing for weaknesses, challenging security teams to work overtime to safeguard their systems, networks, data, and devices as well as their workers.
Failure is not an option. Falling out of compliance with critical cybersecurity and privacy frameworks might mean facing penalties your enterprise can ill afford during the global economic slump the COVID-19 pandemic has caused.
And yet, this crisis shares similar traits with those of the past. Business leaders can learn key lessons from those experiences, and use them not only to bolster their compliance efforts today but also to plan for future crises.
What businesses are saying about compliance right now
Respondents to a Compliance Week survey in late March 2020 said they remember well businesses’ emergency response to the Sept. 11, 2001, terrorist attacks and to the swine flu pandemic of 2009-2010.
Some said those experiences had positioned them to prepare for COVID-19’s effects proactively: they had disaster response and business continuity plans already in place to guide them.
Nevertheless, 67 percent of respondents agreed or strongly agreed that managing and monitoring compliance became more challenging in the weeks after the pandemic began.
Those challenges include:
- Disorganization caused by a remote workforce (37 percent)
- Keeping tabs on coronavirus-related regulatory guidance (31 percent)
- Supply chain disruptions (23 percent)
- Employee absenteeism (23 percent).
All these problems can affect compliance. For information on how, see our special report, COVID-19: Compliance Considerations for Remote Employees.
Remember the past—and learn from it
As organizations broaden their technology bandwidth; modify their policies and procedures to accommodate a remote workforce, and take other actions to prevent or limit business disruptions, some are using lessons learned from past crises to help them make better decisions now.
Looking ahead, these and other lessons could serve your enterprise well now and later—should a second or third wave of the virus strike, as typically happens with pandemics, or to help you cope with future pandemics—which Microsoft CEO Bill Gates predicts could occur every 20 years.
These lessons include:
Test your business continuity plan (BCP)
The last thing your enterprise needs in a crisis is a failure of its disaster response/business continuity plan—which could result in disruptions in your business and controls. Fine-tune yours for response to risks you can’t even imagine, and test it in advance so you know it works as it should before you need it. If you need help with your BCP, check out our checklist.
Assess your supply chain and establish workarounds and backups
Where are the weak links in your supply chain? Foresight will help you avoid falling out of compliance because of them. Risk Management Software can help you track and analyze third-party compliance.
Update your risk assessment
COVID-19-related risks such as the new work-from-home normal, increases in online interactions and transactions, and a surge in cyberattacks require new assessments of your organization’s risk and compliance posture organization-wide. Now is the time to prioritize risks and hone in on those posing the most immediate threats to your enterprise.
Technology and travel have shrunk our world, increasing the likelihood that the effects of a pandemic or other crisis will have a global impact. When revising your risk models, act locally, but think globally.
Communicate, communicate, communicate
Provide information in a steady stream to your workers, leadership, shareholders, business partners, clients, customers, and other business stakeholders. Proactive communications can reassure them and ensure that everyone knows their roles and responsibilities to help keep the business running as smoothly and securely as possible and in compliance with regulatory and industry mandates.
One idea: Establish an email address that employees can use to ask questions or raise red flags.
During a crisis, continually assess your response and be willing to pivot, if need be. Software with alerts and dashboards can monitor, send alerts, and track workflows to help manage your response.
Have a contingency plan
If something isn’t working as it should, have another plan ready to activate. While you’re in crisis mode is not the time to scramble for solutions.
Prepare for absenteeism
During the swine flu pandemic, employee absenteeism posed a risk to business operations and finances, according to Risk Management. To track illness and possible contagion, and plan for the staffing of services and functions deemed essential to the business, the publication recommended categorizing workers in four groups:
- Essential to the worksite
- Essential, but can work remotely
- Non-essential, and can work remotely
- Non-essential, and not necessary to work remotely.
Keep a sharp eye out for fraud
While your organization is in upheaval and attention is distracted by the exigencies of the pandemic is precisely the time when fraud, waste, and other financial misconduct is likely to occur. Lessons learned from the 2008 financial crisis include being vigilant about compliance with the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in response to a number of fraud scandals that occurred in the 1980s.
Don’t repeat past mistakes
“Those who cannot remember the past are condemned to repeat it,” the poet and philosopher George Santayana famously said. The bad news is that human memory is fallible. Also, as personnel come and go in your organization, you may lack the institutional memory to recall the enterprise’s response to the swine flu pandemic, for instance.
But that’s one of the many reasons why we have software. ZenGRC, our governance, risk management, and compliance solution, is like the proverbial elephant that never forgets.
ZenGRC remembers everything, tracking and monitoring your risk management and compliance efforts, assigning tasks and managing workflows, assessing your risks and those of your third-party vendors, and helping you assess what’s going well and what’s not, and why.
And when it’s time to look back and prepare for the next crisis, ZenGRC will still be there with the data and details you need. That’s good news—and who doesn’t need a bit of that during this crisis?
Worry-free compliance management is the ZenGRC way. Contact us today for your free consultation.