COVID-19 has been a catalyst for many boards and management to focus more on the well-being of their people and their corporate cultures. What could this mean for risk management and controls?
By Karen Loon IDP-C, IDN Board Member and Non-Executive Director
As directors in times of crisis, many of us have become more anxious as a result of the multiplicity of uncertainties we have experienced, both at work and in our personal lives. As a result, in our director roles, we may inadvertently bring these anxieties into the boardroom.
Whilst our role includes asking questions about what we can do to minimise the risk of similar circumstances in the future, and the new environment has definitely led to new risks which need to be managed, particularly cyber risk as digitisation has accelerated, there is also a risk that we ask our organisations to put in place additional measures, policies, procedures and controls without fully understanding the root causes of these complex new issues, which could inadvertently lead to further organisational and employee anxieties and issues in the future.
At this time, is it worth us taking a step back and reflecting on whether we fully understand our organisational cultures and future challenges with a people lens on before taking action?
The impact of Work from Home
COVID-19 has had a major effect on our lives as it has impacted our work-life balance. Confined to home, many of us have seen the boundaries between our private and professional lives disappear. Whilst some may view this liberating, others may not view this as positively. Added to this has been the long emotional roller coaster we have been on – the longer that social distancing lasts, the less energetic and motivated people may be. I know of many people in senior roles who are exhausted as a result of working from home for months.
Maintaining a healthy corporate culture
COVID-19 has not only impacted the business models of organisations but had a significant impact on how people work together. For some employees, they may feel excessive pressure to achieve results due to the fear of losing their jobs. For others, interpersonal relations may be inadvertently strained due to the physical separation of teams. This loss of energy and motivation is challenging the old ways of working together, and could lead to tensions in organisations.
Given the way we work may not return to the way things were for some time (or even at all), reflecting on whether our corporate cultures are healthy and whether their systems, norms and values are fully aligned to the purpose of our organisations is something which boards should reflect on given this will influence how people feel and behave.
How could risk management and controls be impacted?
Many risk management and control frameworks were put in place in organisations to focus people on how to manage their businesses assuming they will operate as usual, that they can identify and manage most risks, and that people will behave as expected. However, not all risks and behaviours are as expected, for example, internal frauds continue to take place. Further, who would have expected COVID-19 would have taken place, and the impact it has had on organisations and people!
In a crisis like COVID-19, sudden triggers may lead to individual anxieties and unexpected behaviours by individuals, some of which may have been triggered unconsciously. Before putting in place additional measures, policies and procedures, it is worth considering how people may feel and may behave as a result of them before putting them in place, as the measures could inadvertently increase organisational and individual anxieties and impact behaviours, which could lead to other risks. It is worth noting that many IT/cyber issues can be traced back to human errors or oversight.
As directors, we have a role to ensure that there is an appropriate balance between resilience and agility in our organisations. To evaluate the effectiveness of the risk management and controls in our organisations requires us to consider our overall organisational cultural context and norms. For our companies to perform, we also have a responsibility to ensure our people’s well-being is looked after. Questions we should ask ourselves are:
- Does the culture of our organisation and the way that we work in the new norm lead to collaboration, respect, trust and accountability? Is there an environment of continuous learning environment where we learn from our mistakes across all levels of the organisation (being individual, interpersonal, group, intergroup and interorganisational) which will allow the organisation to pivot and be agile in the future? Or is it overly competitive and overly focused on growth, more individualistic, have silos and is less open, and is technocratic and rigid?
- How has increased digitisation and working from home changed the way work is done? How have our risks changed, and how should our controls best manage these risks?
- And given the need to manage both performance and people, should we revisit at how we manage our risks and our control environment differently? For example, do our remuneration policies appropriately balance resilience and agility considerations?
Time to reflect
Many of us look at how organisations identify risks and the controls put in place from a rational and logical perspective. However, at times of stress and anxiety, not all of us may behave as we would do in a pre-COVID-19 environment.
In undertaking our roles, we should strive to be empathetic, build trust, and take a step back and consider the people aspects of our organisations and how they impact risk management and the control environment. Assessing corporate culture and putting a people lens on how risks are managed will be an important role of boards when guiding their organisations forward in a more uncertain world.
Karen Loon is a Non-Executive Director based in Singapore.