The COVID-19 pandemic has driven a number of changes for institutions of all types and sizes. These changes have created challenges with maintaining a system of risk-based internal controls that meets the requirements of regulators and law enforcement under present conditions and will continue to meet requirements after the pandemic ends. Companies may be tempted to use the crisis as an excuse for scaling back their compliance efforts; however, while regulatory activity may slow temporarily, laws remain in place and compliance expectations do not change. COVID-19 does not give organizations permission to look the other way on bribery and corruption, terrorist-financing activities, and consumer fraud and abuse. Additionally, some organizations may have matters requiring attention, consent orders, or other outstanding regulatory issues that continue to require remediation along previously agreed to or extended timelines.
Organizations need to hunker down and ensure their systems of internal controls align with their risk profiles, keeping in mind that, during crises, there is a significant uptick in criminal activity, from cyberattacks to fraud. So how do organizations survive this crisis and ensure a seamless entry back into normality?
- Have a Plan – You may be saying to yourself, “no kidding.” But the truth is, no organization was ready for COVID-19, no matter how robust their pandemic and business-continuity plans were. Your crisis team needs a broad plan that includes leaders from all areas of the organization to ensure key controls are addressed. It should focus on key risk areas, such as financial crimes and risks to customers (e.g., consumers), credit, and most importantly, human capital. But don’t forget about all risk areas—focusing on some too closely will, in all likelihood, result in an event occurring somewhere else.
- Understand the Interim Requirements –Think back to the Dodd-Frank days, when new regulations were coming out on a regular basis. Make sure your crisis team is on top of all regulatory releases and expectations, some of which have specific timelines. Pay particularly close attention to those that require you to change processes, which in turn will require you to change your system of internal controls.
- Bolster Information Technology (IT) Controls – Remote operating is fraught with risks, from delivery, fraud, and cybersecurity risks to strains on IT-infrastructure capacity. All technologies within the organization, from core systems to area-specific technologies like credit underwriting and anti-money-laundering (AML) monitoring tools, need to be closely managed to ensure they continue operating as expected.
- Improvise, Adapt, and Overcome – To the extent possible, maintain your system of internal controls. However, also understand that you will likely need to make modifications to your system, and that those modifications need to mitigate the risks your system is designed to address. Ensure that any modifications are well rationalized and well documented. Decisions made during the crisis will be questioned later on, and since memories can be short, well-documented changes will help you stand up to future scrutiny.
- Prepare for Fraud – Fraudsters love crises, so don’t let your guard down on external fraud, internal fraud, or fraud perpetrated against your customers.
- Develop Staffing Plans – It is inevitable that some employees will not be able to work remotely, and others may unfortunately get sick. This will place stress on remaining employees to execute the institution’s controls. Also, once shelter-in-place restrictions have been lifted, there may be a spike in customer activity from pent-up demand, which in turn will result in a spike in operational work likely to exceed long-established transaction patterns. (For example, Bank Secrecy Act/AML transaction-monitoring systems may be flooded with alerts once consumer and business spending resumes.) Have a co-sourcing plan in place with a qualified consulting firm so that you can immediately leverage qualified third-party resources if necessary.
- Value Assurance – If there was ever a time to appreciate your operational-risk program and your compliance-testing and audit functions, it is now. These functions should be treated like the National Guard. They are key to helping ensure delivery of services and that controls are appropriate for the organization’s various programs.
The COVID-19 crisis will end eventually. In the meantime, organizations need to work through any issues that could impact their long-term sustainability. Regulators and law-enforcement authorities may appreciate which organizations are under duress, but in all likelihood, they will not forgive noncompliance in the long run, or even the short run.