COVID-19: Response and Preparedness through the lens of Risk ManagementPublished March 23, 2020 by Harry Chawla • 4 min read
Responding to a New, Global Threat
The old adage warns “An ounce of prevention is worth a pound of cure.” The saying becomes even more pointed for threats that, unfortunately, do not yet have a cure. But the lessons of risk management offer a path forward, where prevention takes the form of avoiding, mitigating or reducing risks.
As people and organizations confront COVID-19, the novel threat has inspired an array of new strategies to combat the pandemic. Social distancing, self-isolation, sheltering in place—efforts to stop the COVID-19’s spread leverage risk management principles to fight a public health threat.
Applying Risk Management Principles During the COVID-19 Pandemic
Some businesses have mature risk management programs and apply its principles to any new threat. Others may be less accustomed to approaching problems with that toolset; they worry that, if they do not already have robust preparedness or disaster recovery structures in place, they cannot start now.
But, even for businesses without a solid risk management platform – even for businesses in crisis mode – risk management practices can help people navigate uncertain times. Consider how the risk management cycle can organize thinking and lead you to more a more effective response:
1. Threat Identification
As COVID-19 affects people around the world, the impacts it causes can threaten businesses. Supply chain disruptions may affect inventories and shipment times; travel restrictions may hinder productivity; quarantines may slow consumer demand and constrict cash flow.
While it’s a best practice to have official business continuity plans, many organizations do not and even those that do may not have planned for the extensive threats COVID-19 is likely to involve. The first step in addressing the crisis is understanding the threat landscape.
2. Assessing Vulnerabilities to Specific Threats
Next, organizations must explore how specific threats are likely to affect their businesses. A good practice is to start your assessment with critical assets. Although disruption can stem from other assets, too, prioritizing critical infrastructure focuses on the major building blocks of your business.
When assessing vulnerabilities, be sure to consider vulnerabilities from vendors and business partners, including their cybersecurity preparedness. Wherever a third-party or their systems interact with your business’s ecosystem, it is a potential vulnerability.
3. Determining Risk Exposure
When connecting threats to organizational risks, consider how likely the threat is to occur, and what consequences would arise within your business if it did. Remember: both the threats themselves and the measures taken in response to threats can manifest differently for different organizations.
Areas that historically have been low risk may be significantly affected by changed circumstances. For example, shutting facilities down may affect a business’s security risks and associated controls. Such organizations should ask themselves: are there temporary controls that might be more suitable? If they have been introduced, have employees been trained on those temporary controls? Have you audited for factors like training completion rates, employee compliance, and effectiveness of the temporary controls?
4. Identifying Ways to Reduce Risks
After risks are identified, the question becomes how to treat them. The specifics will vary depending on your organization and what your assessment found. The Cybersecurity and Infrastructure Security Agency shared suggestions of actions organizations can take to respond to physical, supply chain, and cybersecurity issues in light of the COVID-19 pandemic.
Reciprocity uses ZenGRC’s dashboard feature to communicate about risks, formulate plans, and monitor performance. It has the advantage of being customizable, mapping tasks to the organization’s policies. With easy information sharing, an organization can do what is necessary to make people safer.
A more secure process can be a strategic advantage during uncertain times, and organizations should communicate that strength to their customers. At Reciprocity, we know that first-hand. With the COVID-19 crisis expanding, we have taken steps to protect our own employees while also ensuring continuity of services. We were pleased to be able to assure our customers that our SLA is rock solid, and ZenGRC is facilitating customers’ own COVID-19 related adjustments.
5. Prioritizing Risk Reduction Measures
As people around the world are now experiencing, reducing risk exposure can be the best – or the only – strategy for avoiding negative outcomes. Just as hand-washing is the first and most effective step for preventing COVID-19 transmission, basic IT hygiene is at the core of information security.
The Center for Internet Security (CIS) has developed a prioritized list of cybersecurity actions, called the CIS 20, designed to maximize security while minimizing costs. They estimate that the top five controls prevent about 85% of cyberattacks—the digital equivalent of hand-washing.
Reciprocity is Here to Help
At Reciprocity, we understand that these are uncertain times, and we are here to help your organization meet its priorities. As your business adjusts in response to Coronavirus, we can assist with the transition to a digitally-distributed workforce, and guide you through the considerations integral to maintaining information security risk and compliance.
To help you build on your current program, or to help get you started on your journey, please contact us at 877-440-7971 or firstname.lastname@example.org. As always, our team of information security risk and compliance experts are standing by to help you tailor your organizational risk management program to your specific needs.