W H ITE PA P E R

Risk Leadership’s Guide to the

Second-Phase Impact of COVID-19
By Matt Kelly

When COVID-19 first struck the business world in March 2020, many people described it as a tsunami
of disruption (69.2 million mentions of “COVID-19” and “tsunami” on Google, to be exact). The metaphor
was fitting in more ways than one.

When a tsunami slams into land, it hits with enormous ferocity, sweeping aside everything in its path—
similar to what happened to the world in the first weeks of the crisis.

Don’t forget what happens next, however. The wave just keeps coming.

It gushes over the shoreline first and then sweeps into the interior. It wallops structures far inland, that
never encountered the threat of a rogue wave before. When the water finally recedes, the damage left
behind is tremendous and long-lasting.

That’s the peril many companies now face from COVID-19. The initial shock of it has worn off, and
businesses have moved into some semblance of crisis operations. The risks, however, just keep coming.
Some are consequences of those first emergency measures; others are new pressures that COVID-19
will impose on businesses for many months to come.

So, what is that second phase of COVID risk? How can risk management teams adapt to that world and
develop the capabilities they’ll need to help the organization survive until COVID is gone for good?

Five risks coming over the horizon

Shifting corruption risk. Corruption risk is shifting in
multiple ways simultaneously. First, as recession grips the
economy, more individual employees and management
teams will be tempted to engage in fraudulent transactions
to protect their jobs. Second, as more employees work
remotely and communicate via online apps that can be
hard to monitor, uncovering corruption schemes those
persons might be plotting becomes more difficult. And third,
companies may find they need to work with new suppliers
or business partners, possibly under time pressure where
due diligence isn’t adequate.
So, our emergency responses to COVID-19 make assessing
and monitoring corruption risk more difficult, even as the
overall risk of corruption is increasing because of the poor
economic climate.
Increasing cybersecurity risk. Along similar lines,
cybersecurity risk is increasing because more of the
company’s business operations now happen online. The
big shift is that many of those operations now include
interpersonal tasks: executive deliberations, board meetings,
contract negotiations, investigation interviews, and so forth,
that rarely would have happened online before. Now they do.
That sudden shift to online communication—more
employees, discussing or exchanging more confidential
information—is clearly a huge cybersecurity concern. At the
same time, however, employees might be using unauthorized
chat applications, or have those applications misconfigured.
So evaluating third-party cybersecurity risks and effective
monitoring of networks and data become critical security
processes.
New business continuity challenges. COVID-19 expands
the range of issues a company must consider when
evaluating business continuity. It’s no longer enough to
assure that your own company has sufficient inventory,
backup computer servers, and necessary work-from-home
technology.
Now business continuity must incorporate the continuity
of their suppliers, vendors, and other business partners.
Essentially, they must monitor the continuity of their
whole business model and connect those risks to the
company’s financial position. COVID-19 will require risk
teams to understand much more about continuity outside
the company’s own enterprise and use that monitoring to
update scenarios for the company’s own ability to continue
as a going concern.
Infectious disease risk. Companies must also remember
that COVID-19 is a disease, and therefore, they will need
to control their company’s exposure to it. That means
companies will need to implement an Infectious Disease
Outbreak Response Program—the IDORP.
These programs are related to, but more detailed than, a
pandemic response program. Where a pandemic response
program might tackle questions about international travel
or supply chain instability, IDORPs focus specifically on how
to prevent COVID-19 from spreading among employees.
Controls could range from temperature checks on the
factory floor to sick leave policies. IDORPs need leadership,
policies, training, and more.
Strategic risks. COVID-19 is changing business models,
weakening some competitors, strengthening others, and
creating new opportunities all at once. Senior executives and
corporate boards will need to be aware of those strategic
risks as they evolve.
The priority here will be to understand how management’s
immediate decisions to respond to COVID-19 will affect
the long-term risks and opportunities of the organization.
For example, your company might find lucrative merger
targets available at an affordable price—but if your company
hadn’t been sufficiently preserving cash or access to capital,
that opportunity might slip by. Or, new markets might be
possible, if the company has sufficiently sharp customer
analytics to uncover them. Success will hinge on the
company’s ability to monitor multiple strategic, financial, and
operational risks at once.
Developing the right
COVID-19 capabilities
Those are the new risks COVID-19 is posing to the
corporate enterprise. So, how should risk management
teams respond?
The best way to approach the question is to think in terms
of capabilities. What will risk management teams need to
be able to do to help senior executives and the board make
better decisions about the many threats COVID-19 raises?
Viewed through that lens, several answers come to
the fore.
First, risk managers will need to do better at
collaboration with other members of the risk or audit team
working remotely, with other business functions trying
to operate during COVID-19, with senior executives and
the board—with everyone, really. Risk managers will need
improved interpersonal skills and communication tools
to understand precisely how COVID-19 is threatening
some part of the enterprise and then work with others to
implement a successful remediation strategy.
Second, they’ll need to do better at risk assessment.
Recall our point above about how COVID-19 expands
what business continuity risk means, to include customers,
suppliers, and whole business models. Assessing that will
be difficult. (It will also depend, at least partly, on the better
collaboration we just mentioned.) Or, consider the practical
challenges of assessing disease exposure on the factory
floor and the wisest ways to respond to it. That’s not
something many enterprises have had to evaluate before.
They do now.
Third, they will need sharper monitoring of the
organization’s activity. Fraud, cybersecurity, financial
liquidity, supply chain—those risks won’t just change; they
will evolve, from one moment to the next. Risk teams will
need to build data analytics tools that pull in data from
multiple sources (both inside and outside the enterprise) and
provide the latest, best picture possible of the company’s
overall risk posture.
Fourth, risk teams will need to develop rock-solid data. We
often talk about the need for a “single source of truth” in
one repository of data, and that need is certainly valid. But
we should also realize the risk of incomplete or inaccurate
data will rise during COVID-19 because so many employees
will be working apart from each other. Critical data might
be stored on someone’s personal hard drive, or fraudsters
might try to fabricate data. Organizations will need to
coordinate data governance, document retention, and data
security into one broad effort at building the best repository
of data possible.
And fifth, risk teams will need skillful regulatory change
management, to assure that when the government or public
health authorities do change their rules for how business
must operate, your enterprise is aware of that change and
how it will affect your operations. For example, some states
and countries might relax lockdown rules at different times
than others, and your executive team will need to decide
what to do. Or, public health authorities might warn of a
new disease outbreak—which should, ideally, automatically
trigger certain procedures stated in your IDORP.
The end goals: agility
and resiliency
The goal here is an enterprise that can identify and respond
to COVID-19 risks as they emerge. In other words, an
organization that has agility and resiliency.
We can define agility as the ability to respond quickly
and easily, and resiliency as the ability to withstand
sudden shocks or disruptions. Those traits, scaled up to
the enterprise level, will be crucial to endure the ordeal
otherwise known as COVID-19—because we don’t know
what challenges it will bring next, or when this ordeal will
pass. The stress and uncertainty this virus has brought
upon us will be a state of life for many months.
wp20200507 j119148
The information contained herein is proprietary to Workiva and
cannot be copied, published, or distributed without express
prior written consent. Copyright 2020 Workiva Inc. Workiva is a
registered trademark of Workiva Inc. All rights reserved.
Risk management functions will be instrumental in
supporting that agility and resiliency. With the right
technology and collaboration across business functions,
risk teams can build the data analytics that find emerging
risks. With proper support from the board and executive
management, they can also develop remediation plans—
everything from IDORPs to new data management
procedures to tighter anti-fraud controls—that will keep
those emerging risks in check. That agility and resiliency will
allow the enterprise to keep advancing its objectives, despite
the difficulties that COVID-19 will spring upon us.
That’s what the board and C-suite want, and that’s what
the enterprise will need until the day this virus is behind us.
About the author
Matt Kelly
Editor and CEO
Radical Compliance
Matt Kelly is an independent compliance consultant
who studies corporate compliance, governance,
and risk management issues. He maintains a blog,
RadicalCompliance.com, where he shares his thoughts on
business issues and speaks on compliance, governance,
and risk topics frequently. Kelly was named as “Rising Star
of Corporate Governance” by the Millstein Center for
Corporate Governance in the inaugural class of 2008 and
named to Ethisphere’s “Most Influential in Business Ethics”
list in 2011 (no. 91) and 2013 (no. 77). Matt previously
was editor of Compliance Week, a newsletter on corporate
compliance, from 2006 through 2015. He lives in Boston
and can be reached at mkelly@RadicalCompliance.com or
on Twitter at @compliancememe.
About Workiva
Workiva, provider of the world’s leading connected
reporting and compliance platform, is used by thousands of
enterprises across 180 countries, including 75 percent of
the largest 500 U.S. corporations by total revenue, and by
government agencies. Our customers have linked over five
billion data elements to trust their data, reduce risk, and
save time. For more information about Workiva (NYSE:WK),
please visit workiva.com.
workiva.com | info@workiva.com | 888-275-3125