The Operational Risk Best Practice Forum has identified information security, recordkeeping and cyber-related fraud as firms' top-three controls weakened by the mass shift to home working prompted by the COVID-19 pandemic.
The forum, comprising up to 50 financial services operational risk practitioners, discussed these risks and noted a switch from business continuity to full crisis management
during its March conference call.
“It is time for operational risk to show to the board how nimble and flexible they are. Operational risk needs to put aside non-urgent projects and programs, step up to provide a prompt opinion on the risks posed by the pandemic as well as key controls that have been weakened,” said Elena Pykhova, director and founder, The Op Risk Company and chair of the OpRisk Best Practice forum.
Many firms were prepared for a shift to home working, but perhaps not in the scale required in their pandemic response. Firms need to be clear who is leading their crisis management efforts.
“It’s no longer business continuity but a switch to a full crisis management. It varies from firm to firm who is in the lead – either first line operational resilience or SMF24 in the UK or second line operational risk and information security or jointly the first and second line via firms’ crisis management process which some organisations now have pulled in extra project resources for coordination. Whoever is in the lead, it’s time to work together as a team and collaborate,” Pykhova said.
Deep dive needed
Risk managers must lead a deep dive into firms’ control environment to assess the impact of weakened controls related to the shift to home working and raise findings with their boards.
The top-three weakened controls identified were:
- Information security: Pykhova pointed out that in an office environment there are secure ways to dispose of confidential printed documents — shredders, being the most common. Firms should assess how confidential paperwork is handled in the home environment and develop a policy.
- Recordkeeping and evidencing: Firms are already grappling with the challenge related to recording phone calls as traders place orders and relationship managers advise clients. At a time when markets are falling it is essential that firms step up recordkeeping and evidencing around client interactions to mitigate future disputes, Pykhova said. Many tasks related to recording and evidencing client interactions are not completely automated. Firms should assess whether manual processes are being followed to protect themselves.
- Fraud and phishing: When employees are multitasking at home may not be as vigilant as the ought to on cyber risk. Firms need to raise awareness around cyber risk and ensure that anti-malware software is updated and virtual private network (VPN) patches have been deployed.
“It is the role of risk to lead the thinking as well as remind employees to be vigilant. These are the days where robustness of controls can go downhill, and a timely independent operational risk opinion goes a long way towards focussing the attention to the right priority areas,” Pykhova said.