Heading into 2020 no one could have predicted how a then-mysterious new coronavirus would cripple global business, as it is now. The last time a global crisis struck with such force, it was a man-made event – when the subprime mortgage crisis in 2008 caused the worst recession in U.S. history since the Great Depression.

Governance, risk and compliance (GRC) was just being established then in response to banks’ needs for GRC systems to deal with the uncertain times, unchartered territories and the Unknown Unknowns. Banks were facing a huge number of new regulations such as Dodd-Frank and needed insight into their financial systems. These banks needed to know how to deal with issues across the globe, enact compliance controls, apply them effectively and measure risk management. GRC software was created in response to the needs of large financial institutions, and then expanded to verticals across the globe. To this day, GRC provides versatile tools and solutions for companies navigating a crisis. 

The Role of GRC during COVID-19

Fast forwarding to 2020, over one million people globally are confirmed to have COVID-19 caused by the novel coronavirus. While this crisis feels daunting and affects human lives more directly than the ’08 financial crisis, the insights gained over the last 12 years can be applied to tackle Unknown Unknowns across this widely volatile landscape.

Amid a crisis, it is important for organizations to identify where and when potential hot spots may arise. Risks stemming from COVID-19 in terms of geographies, customers, suppliers, business lines and other valuable company assets must be accounted for to provide clarity and visibility in a response. IT systems may be going through unprecedented remote access and usage, creating high threat levels and vulnerabilities for fresh cybersecurity issues. With business systems and processes so intertwined, an incident inside a supplier’s system can greatly impact outside organizations associated with it. Due to this, the velocity of an organization’s response is key to their ability to overcome a crisis.

Once the proper hot spots have been identified, having a system in place to assess risk and coordinate with the appropriate parties can guide companies safely through the storm. Companies with a regimented, compliant framework allows for their business to nimbly and globally orchestrate the systems of GRC, whether they be unwritten social contracts – think goodwill and reputation – or written contracts with suppliers, regulators, customers and partners. Large companies are extremely complex and senior management needs to know how everything is interconnected, so if something goes really wrong, they’ll know how to triage effectively. However, small companies are just as much at risk as their resources to outlast a crisis may be limited. With the right controls in place, businesses can remain resilient, even when offices shut down, suppliers are functioning on reduced capacity and employees are in remote locations. Accurate business impact assessments, mass notifications and solid business continuity management can prepare any company for several different types of risk.

Be Prepared – Four Dimensions for Risk Fitness

As part of a strong risk governance program, it makes sense for any company to review their key risks on a quarterly basis. Below are four dimensions to maintain risk fitness.

• Operational Risk – This includes a company’s people, including third parties who sometimes form the nucleus to support key business operations. The role of technology to automate functions that rely on people becomes paramount when people get isolated. 
• Financial Risk – Financial risk increases when companies have trouble, for example, obtaining financing or when revenues and margins drop. Supply chain problems may also disrupt distribution and production, impacting sales. This, in turn, can cause missed revenue targets, a lack of clarity to provide forward looking guidance and facility closures.
• Reputation Risk – Opportunities to excel are also evident in any crisis – bringing forth a chance to show how you responded better than competitors. On the other hand, lack of leadership creates mistrust and confusion. If the firm can’t handle the crisis, can they handle my business?
• Strategic Risk – Are you prepared to pivot? Companies need a full understanding of how the risks associated with all aspects of their business are interrelated. A company’s ability to quickly triangulate key personnel risk, business resumption risk and operational risks will separate themselves from the pack and meet their business objectives.  

The Road Forward

As we look back (and also ahead), the financial crisis gave way to 12 years of solid growth by companies that not only survived but thrived. Today, in this current COVID-19 crisis world, GRC is even more important as workplaces go virtual, the threat of cyber risks steadily increases and globalization forces companies to deal with regulations across continents. Simply put, businesses need GRC in this new reality. It is critical for every company to prepare and invest for future events as there will always be another natural or man-made crisis down the road. Preparedness, in part, helps eliminate panic. The good news is that there is, and will be, growth beyond the crisis.