In the tumultuous year that 2020 has been, it’s no surprise that International SOS’ 2021 Risk Outlook report found that risk perception for employees is at a five year high — up to 79%. The last peak that high was reported in 2016, following a series of domestic and workplace terrorist attacks in the west.
In 2021, as enterprise security leaders look to better understand and tackle their organization’s risks as it relates to the COVID-19 pandemic, following this model can be helpful: designate a dedicated response team; analyze how risks have changed and what new types of risks there are; consider the appetite for taking risks and prioritize them. Let’s talk about each of these actions separately.
Set up a crisis team
If you haven’t already, the first step for enterprises is to set up a specific crisis response team for COVID-19, but also for the future in anticipation of other risks. These teams can, and should, include a wide spectrum of expertise from multiple teams, such as: HR, medical, security, facility, operations and more, depending on your organization's size and makeup.
These teams will create synergies your business may not have had before. At my organization, for example, we have seen increased activity between HR and operations because we need to know who can come into the office and who can’t from an HR perspective, and security hands in access controls to HR.
With that being said, there are financial challenges that may have arisen in 2020 that impact these teams, such as layoffs, so a best practice heading into the new year is to understand what organizational changes are anticipated and how those changes will affect your crisis response teams.
Asses your risks
To understand your organization's risk baseline, or what risks the organization has, you need to closely review and assess what has changed from a business operations perspective and what holes these changes have created in your risk strategy in order to identify where threats are going to be in the future. In wake of the COVID-19 pandemic, it’s important to look at your risk profile from two perspectives:
- With employees working from home, the home setting has essentially become a branch of many businesses and has created a variety of risks. These can include but are certainly not limited to:
- Cybersecurity: Remote workers are accessing business VPN/drives from all over the world, opening up more opportunities for hackers to access sensitive information that is critical to business operation.
- Domestic violence: Employees may have viewed the office as an “escape” from a dangerous home setting and are now stuck at home a majority of the time, causing not only the immediate safety risk, but also heightened stress and anxiety.
- Tech: With many parents working from home, office technology such as computers can now be easily accessed by children and/or pets, putting hardware and more at high-risk for breakage, insider threats and other problems.
- Many of the same prior risks remain, but it’s important to think about how they have evolved, for example:
- Natural disasters: If struck by a natural disaster, medical response and rescue is greatly impacted due to social distancing suggestions.
- Theft: There are no, or less, people in your office now - opening opportunities for theft.
- Supply chain: Social distancing has brought up a lot of supply chain issues, due to a variety of factors including short staffing and lack of materials.
- Workplace violence: Where an employee may have bullied another previously, this can move to online - which in some cases can be worse.
Survey/talk to others
It’s important to look at your risks from a multi-staff approach, by talking to your entry, middle and senior level employees, as well as C-suite leaders about what worries them in their specific roles to help fill gaps at every level. In addition, while your business has its specific needs and risks, talk to partner and peer organizations similar to yours to get an idea of what others are doing.
Risk appetite and priorities
The first step in prioritizing your risks is to determine your organization's appetite for them by balancing the potential benefits and threats of each, and the changes that they could bring.
Once you’ve determined what risks your enterprise can safely take without severely impacting the safety or goals of your business and business people, you need to prioritize which risks to tackle, based on severity and staffing. If something is going to harm employees or business continuity, address that first.
In addition, if something has a low level of effort, do it immediately to cross it off the list. For lower level, and/or larger time required items, try to find a stop gap for the time being and then, with the additional time given by using the stop gap, develop a full project plan to eventually deal with these situations and risks, as you do not want to leave any unaddressed.
Overall, in wake of the COVID-19 pandemic and the vast changes it has had on business and personal lives, it’s security leaders and risk professionals that must take a step back and evaluate how the current situation has impacted their employees and businesses, and evolve organizational crisis management and security plans for the future.