ORM/ERM Roundtable – Pandemic Response (April 2020)

Spire Search Partners discussed the following regarding the pandemic response at the April 2020 ORM/ERM Roundtable:

• Continuity/Resiliency Performance
• Policy Exceptions/Tracking
• Productivity & Communications
• Third Party Response & Oversight
• Pandemic Planning
• Health & Wellness

Section 1: Looking Back

Generally, ORM and BCP/Resiliency plans were on point at the onset of the pandemic – most firms were able to quickly (but not immediately) adjust to working at home and were able to flex/adjust controls as needed to maintain appropriate levels of productivity.

Most were still putting fires out and over the last few weeks and reworking some internal processes, but generally happy with how nimble firms were.

Transitioning to Working From Home

Just about everyone was pleasantly surprised by the fluidity with which they were able to transition to 95% plus of employees working from home with little or no capacity issues.

• There were initial issues on day 1-3 but they were quickly sorted out; most firms have ‘work from home’ as their back up plan but when it happened en mass it caused a few issues
• Firms generally had a week or two to prepare – raised the question of what if it had to be done at a moment’s notice ie: a lock down happens in the middle of the night
• M. Anastasio noted that they had been performing unannounced BCP test for about 2 years, turning people away when they arrived in the morning having them pick up at home with no notice, proved a useful practice
• Initial concerns about having printers and scanners going home was also surprisingly quite manageable with appropriate exceptions to policy
• Most firms eventually figured out work arounds for regulatory requirements like call recording and paperwork processing

Communications

Some felt this could be more buttoned down with regulators, more comprehensive, would have been better to be more aggressive with the warning signs.

Offshore Units/External Vendors

India work sites are typically very sterile locations with no outside communication devices; firms had to make pretty large exceptions to policy to let them VPN from home and continue working.

• At this point levels of control have been lowered – raises the question of what level is necessary when things get back to normal
• Similar situations experienced by most with their critical vendors – policy exceptions empowering them to work from home
• Most are closely tracking exceptions to policy as part of their process and to inform future plans

Tracking and Leveraging Data

In an effort to track where everyone was and what they were sent home with one firm moved their Archer data into a Power BI database housing all the critical processes and are finding it very beneficial – it has created an opportunity to move beyond the traditional BCP, making it manager owned, data driven and easy to update. It has created insight and daily reporting that informs managers with useful insights.

Section 2: Current Perspective

Leadership is tracking ops risk events, closely tracking exceptions to policy, and considering the overall impact on productivity, using that information to inform future pandemic-specific plans (separate from BCP/Resiliency plans).

Leadership is working through third party and vendor BCP/Resiliency plans and their response to the pandemic – requiring a much deeper look at their operating models than ever before.

Some firms really stand out in how they have supported their employees working from home and in a heightened state of concern regarding health and wellness.

Operational Risk Events

No one cited any noticeable increases, though I’ve personally heard a bit of anecdotal evidence of increased incidents with the workforce working at home.

Tracking Exceptions to Policy

Firms are closely tracking policy exceptions including where the approval is, who made it, for how long, who knew about and who owns it – making it all auditable.

• If it’s all trackable and auditable, there is less concern about regulatory response and allows for certain exceptions to potentially become permanent

Firms Are Feeling More Nimble in Their Response

Some have empowered people to make decisions allowing them to react quickly, make strategic decisions/exceptions and enable a smoother transition/go forward – the view is that if a bad decision is made they can quickly unwind and redirect.

• This has also created an opportunity to recognize talent that wasn’t in the spotlight before

Pandemic Planning

Pandemic planning is different from BCP and resiliency planning; one firm cited the creation of an independent COVID-related risk registry to help inform future overall pandemic strategy.

• This goes far deeper than BCP/Resiliency, continuity is great when you can fail over to another location, but a pandemic is multi-jurisdictional, the impact is farther reaching and the response must be different

Tracking and Measuring Productivity

Most firms are looking at how best to track/measure productivity while people are working from home, this would inform future plans and how to adjust as the current situation continues to extend, but no one present had any direct way of measuring productivity.

• Some are looking at ops risk events as a proxy and talking to managers to get a sense for productivity levels
• Several did site a noticeable increase in hours people are working, perhaps due to not having a commute or from the double duty some parents are managing
• More process oriented work seems in some cases to show an increase productivity

Third Party Risk Management

Third party risk management has come to the forefront as firms (and their regulators) work to gain a deeper understanding of the BCP/Resiliency models of their critical vendors and determining suitability and necessary exceptions to policy as those third parties have had to initiate their own pandemic policy.

• Firms in some cases have had to consult with vendors to help them get the necessary frameworks in place

Financial Support for Employees Working at Home

One firm is providing additional compensation to employees to enable their work from home situation (to buy equipment or furniture, whatever is needed to get a workable set up in place).

Aggressive Health & Wellness Campaign

Some firms have greatly ramped up communications across the entire company, providing a sense of connection, relevant education, and even recommendations for staying well and engaged while working from home.

Section 3: Looking Forward

Ops Risk Leaders want to know if the current state of operations is sustainable and what the longer-term effects of deterioration in controls will be. Firms agree there is a growing desire to get back in the office, and an acceptance of heightened levels of caution.

However, expectations are that the presence of Covid will be prolonged, with additional waves to come in the future, as such firms are planning for some permanent changes.

A new BAU to which we will slowly transition back to; either starting with a rotational program (some portion of employees always out of the office) or some other interim state of operations to have in place until there is a vaccine or anti body testing widely available.

Some firms may never go back to a full office program. However as this new norm comes to fruition it will be marked by a heightened health and wellness responsibility assumed by firms.

How Will Creativity, Productivity, Ops Risk Issues Suffer

Most are concerned about how an extended work from home state will stifle the innovation, productivity and solution generation that comes from the fluidity of people being in the room together.

Equally concerning is the potential delay in operational concerns/issues being brought to light that usually comes from in-person conversations initiated when leaders are ‘walking the floor’.

• What else might be lost when you lose the opportunity to walk through teams/office space and connect with people, be visible and open the door to conversations in the ‘trenches’?

Should Office/Physical Space Be Rearranged

Given this new state of concern and the known risk of a pandemic does it make more sense to have cubicles instead of a trading floor style set up; cubicles more safely separating people.

How will landlords/managers of multi-tenant buildings support changes around cafeterias, health clubs, etc?

Are Business Continuity Sites Still Needed

This experience has put into question the need for large disaster recovery locations, if working from home is working fine and the transition is improved could the DR footprint can be seriously curtailed?

How Best To Bolster A Health & Wellness Program

Risk leadership is thinking through how they will best provide their employees with the comfort and peace of mind to return to the office and get back to BAU. How people feel today can be very different to how they will feel 3-6 months from now.

• Determining the right level of confidence that can be provided and what are the signals that it has been achieved?
• Some firms expect to have nurses on site, temperature scans, what is the level of herd immunity, will there be comfort with mask wearing, what sort of testing will be available for anti-bodies and how do you get set up for that?
• Firms are establishing “reverse trip wires” to get ahead of future situations that will deliver confidence to the people in the business
• Expectations are there will be 2nd wave in the fall

How Will Additional Operational Stresses Be Absorbed

Other risks persist (Cyber, IT, Weather, etc) and can overlap with current/future pandemic waves – how will firms handle these especially in an environment of deteriorating controls?

• One firm with substantial presence in Florida is considering how hurricane season may overlap with a fall wave of Covid and how that may undermine working from home plans – they are cross training employees in other areas who could step in for any office/location/business that may have to go offline

Section 4: Additional Thoughts

Location Fluidity – If costs savings alongside health and wellness drive a permanent state of rotating the work force in and out of less space, the work space will permanently extend to each person’s home – how will the overall ORM framework permanently readjust to support it and what additional skills, tech and talent might the team need to manage that?

WIFI – with everyone working from home, potentially in perpetuity, WiFi becomes a critical breakpoint; what solutions might come to light and what new agreements might need to exist with providers to lessen the risk of this technology causing potentially large and persistent issues?

Health & Wellness as part of ORM/ERM – How might ORM functions need to expand their teams to cover “health and wellness” as an operational risk – when you consider that COVID or a similar virus could take a team or key executives out of play, and if something like that happened the concern across the office could destabilize employee engagement and confidence.

ORM/ERM leadership is already thinking through how best to manage these risks but are they currently equipped to make the right decisions now and maintain this extension in the future?

Productivity & Communication Tech – Can some of these issues be alleviated by the right technology existing or not yet developed.

Download the full presentation here: ORM/ERM Roundtable Presentation – Pandemic Response (April 2020)