Even as the Covid-19 pandemic continues to reshape the banking and financial services industries, forward-looking organizations are focusing on how they can adapt to a post-pandemic world. With many business processes and controls forever changed, boards of directors — including their audit and risk committees — acknowledge that their views on fundamental risk issues must change as well.
New Workplaces, New Risks
One of the pandemic’s most disruptive effects was the upheaval of the centralized workforce. For decades, employees gathered together in a central location to work. Businesses took great pride in these workplaces, even putting their names atop the buildings in which they were located.
However, the pandemic shattered that model — possibly permanently — along with the concept of regular office hours and the expectations that personal devices should not be used for company business. During the pandemic, employees worked from their kitchens and dining rooms, improvising as they adapted to new ways of operating that would have been impossible 20 years ago. Beyond the obvious physical, security and technical risks associated with this dispersal, board members should understand some of the less visible risks.
For example, corporate culture often is shaped from the ground up through casual workplace interactions, which can be lacking in a remote work arrangement. Similarly, if people cannot gather together physically to brainstorm ideas, innovation and creativity can suffer. Many executives also lament their inability to read body language, tone of voice and other nuances in employees’ behavior to spot potential problems.
These types of risks are inherently difficult to quantify. Nevertheless, risk committees should be aware of them and ascertain whether management is addressing them.
Of even more pressing concern, however, are the effects that a decentralized workforce has on a bank’s business processes and control environment. While the immediate responsibility for overseeing management’s response to these risks might be assigned to the audit and risk committees, ultimately all board members have oversight responsibility and should make a committed effort to understand these risks.
Audit and risk committee priorities
Previously, when audit committees addressed risks associated with business processes and controls, they had the advantage of operating in something like a laboratory. The bank controlled most of the variables such as access controls, approvals and validations. In the post-pandemic world, however, risk monitoring and mitigation efforts must address new variables outside the bank’s control.
One specific audit committee priority is the need to evaluate how a dispersed workforce affects the control environment. Controlling access to systems is an area of major risk; remote reconciliations, remote approvals and digital signatures also are important concerns.
While a virtual private network generally would be the preferred method of providing remote employee access, that capability often was unavailable during the pandemic. Other options became necessary. In addition, many controls had to be redesigned quickly, with little time for testing the adequacy of their design or the effectiveness of the implementation.
Now is the time for many audit committees to take a step back and look holistically at their banks’ control environments. In addition to system access, this overview should include controls governing the retention of sensitive data, timely execution of controls, coordination to resolve deficiencies and validation of secondary reviews.
In assessing such controls, committee members might be constrained by their limited understanding of the technology. Given the novel nature of today’s situation, audit committees should consider getting qualified technical assistance, independent of management, to evaluate the steps taken to accommodate the new work environment.
Strategic issues and board concerns
Both the risk committee and the full board should consider broader questions as well. At a strategic level, boards should explore whether management’s response to the pandemic is sustainable. In other words, should the new practices the bank established — including remote work arrangements — become permanent?
Bank management teams have issued many press releases recounting how successfully they responded to the crisis. As banks move into the post-pandemic world, board members should review these responses and ask whether the new practices will allow for growth and innovation so that their banks can thrive in the future while still maintaining a well-controlled work environment.
As they revisit documented policies, controls and procedures — and remeasure the associated risks — boards and management teams ultimately must decide whether the new control environment is consistent with the strategy of the bank and capable of sustaining its desired organizational culture.