Leading in the Dynamic World of COVID-19: Strategies for helping your people and organization be more resilient
LEADING IN THE DYNAMIC WORLD OF COVID-19
Strategies for helping your people and organization be more resilient
Coronavirus disease 2019 (COVID-19) continues to expand its global impact on individuals, businesses, communities and governments. The dynamic nature of this pandemic makes it hard to assess what will happen next. Here we present resources for our clients on how we are adapting to support them and resources for all business leaders for managing effectively through these challenging times.
Enterprise Resilience for a Dynamic World
Business leaders can confidently face this dynamic world by addressing the following six impact areas across their organizations.
Crisis Management and Response
Establishing a crisis management team, stakeholder responsibilities and developing the agility to meeting the challenges of a dynamic world.
- Board Perspectives: Risk Oversight Issue 128: What Directors Should Be Asking Right Now and industry questions
- What Directors Should Be Asking Right Now
- Getting There Eventually: Finding Equilibrium in Uncertain Times Part 2 -- Resilience is the North Star (The Bulletin)
- A recovery path for healthcare organizations
- Getting There Eventually: Finding Equilibrium in Uncertain Times – Build on Your Strengths
- Coronavirus Forces a New Approach to Crisis Management
- Board Oversight Responsibilities During the COVID-19 Crisis
- COVID-19: Paradigm Shift in the Boardroom
- COVID-19: Paradigm Shift in the Boardroom (An Expanded Discussion)
- Securing Your Organization's Assets in the Face of Crisis
- Keeping Remote Workforces Safe and Secure Part 1
- Keeping Remote Workforces Safe and Secure Part 2
Microsite Download View:
Learn more
Resources to Navigate the Dynamic World of COVID-19
ENTERPRISE RESILIENCE WEBINAR SERIES
Today's Learnings. Tomorrow's Preparation.
We're facing an unprecedented challenge - but we aren't facing it alone. We believe there is tremendous value to be gained in sharing and learning from diverse perspectives. These Protiviti and Robert Half collaborative webinars provide you with an opportunity to prioritize the conversation, gain confidence in your own plans, and increase your organization's resilience.
CLICK HERE TO LEARN MORE
NAVIGATING BUSINESS RESILIENCE WITH PROTIVITI
A rapid response approach to manage the crisis
MESSAGE FROM PROTIVITI'S PRESIDENT AND CEO, JOSEPH TARANTINO
Delivering Confidence in a Dynamic World
PROTIVITI'S COVID-19 PREPAREDNESS RESPONSE TO CLIENTS
The health and safety of our employees, and our clients' employees, is a top priority.
Leadership Actions for a Dynamic World
The Evolving Role of the CIO
Key Challenges
Respond
- Address employee safety and engagement while ensuring core service availability and maintenance
- Confirm priority of new and existing critical business projects and redeploy resources accordingly to bring new capabilities and enhance existing technology
- Enable flexible workforce solutions to meet increased demand for services and transactions
- Enhance security and response to address key risks
What to Prioritize
- Crisis management & operational Resilience
- Remote workforce to support resource and skill gaps
- Workforce enablement and collaboration tools deployment
- Modern workplace update
- Website performance optimization
- Work from home security assessment
- Pen testing and application security reviews
- Intelligent Process Automation (IPA) to address various work backlogs
Plan & Control
- Reprioritize projects and spend on priorities for cyber, cloud and other critical demands
- Consider IPA for high demand manual/repeatable tasks
- Formalize and build out response functions and command centers
- Review licensing models and consider revisions for the radical environment
- Address security risks and enhance tools for oversight and governance of remote workforce
What to Prioritize
- PMO critical projects to success
- Cloud spend monitoring
- Real-time analytics and reporting to new business requirements
- Enable Security Operation Centers (SOC)
- Design Thinking and innovative problem solving for evolving requirements
- Fraud, privacy and compliance application monitoring
- Agile software deployment and DevSecOps
- Automation and Reporting
Optimize & Fix
- Increase self-service and digital capabilities through redesign of key processes
- Consider cloud migration for applications and review third-party ecosystem reliance to optimize availability and stability.
- Expand automation opportunities to manage cost and controls while considering new resource models
- Embrace innovation to address new risks and evaluate earlier deployments
- Update policies and enable training to ensure resilience to address dynamic circumstances
What to Prioritize
- Issue Management Triage
- Move to cloud to increase operational resilience
- NextGen compliance and monitoring
- Microsoft Office 365 security review
- Information security risk assessments and monitoring
- Cyber threat resiliency
- Process mining for optimization
- Develop robust onboarding / off-boarding tools to manage risk efficiently
New Normal
- Define strategy to enable long-term resiliency and consider study for future contingencies
- Identify and deploy top priorities in the post-COVID environment
- Review workforce blend and initiate transformative workplace change and technology design - facilities, offshoring, managed processes
- Re-evaluate risk profile to address potential expansion of virtual workforce and evolving security threats
What to Prioritize
- Develop strategy, plan and manage resilience plan
- Capture results in real time to inform afteraction efforts
- Managed application support
- Monitor and manage operational Resiliency risks
- Resource support to deploy existing resilience plans
- Develop compliance plan to ensure meeting regulatory requirements
Relevant Experience & Credentials
US Commercial Bank
Cloud FinOps Analytics
Global Industrial Products
Top Non-Profit Conservation Grant-Maker
US Commercial Bank
Improve Business Continuity Management
This financial services organization needed to review and update its business continuity management policies, processes, roles and tools.
Value Delivered
- Executed a risk assessment and developed Business Continuity Management (BCM) and Business Impact Analysis (BIA) improvement plans based on organizational needs, level of effort, relative cost and Business impact.
- Assessment included: BIA process, governance and organization, format, reporting, resource requirements (people and technology), continuous improvement process and tool Analysis.
The Evolving Role of the CISO
Key Challenges
Respond
- Address employee safety and ensure their ability to work remotely without issue and with sufficient protections from cyber threats
- Increase employee awareness and diligence of phising attempts, including COVID-19 related messages
- Ensure security partners and third-parties are able to provide services without issue
- Address issues and create plans to ensure the resilience of critical systems
- Ensure security is "at the table" for rapid and impactful business decisions
What to Prioritize
- Staff augmentation to support variable resourcing requirements & skill gaps
- External exposure and vulnerability assessment for infrastructure & applications
- Work from home security assessment
- Security awareness program for COVIDrelated scams
- Review bandwidth, scalability, and capacity of infrastructure
- Increase protection for network security and assets for remote workforce threats
- Assessing and automating onboarding and off-boarding of resources
Plan & Control
- Assess and update the company's risk profile, including third-party risks, based changes in threats and conditions
- Review new technologies and processes consistently to address security concerns
- Ensure remote workforce technologies are appropriately implemented and monitored
- Redeploy resources to address immediate need and maintain critical operations
What to Prioritize
- Revisit risk-profile based upon new workforce model and evolving threats
- Inventory and assure new and revised applications/APIs to address web vulnerabilities and data exposure
- Security spend evaluation and monitoring
- Revisit security architecture in cloud integrations
- Assessments for key infrastructure environments
- Automation and orchestration opportunities
- Improve automation around management of identity lifecycle
- Improved management of third-party access to organizations network/applications/systems
Optimize & Fix
- Define security's transition to a "new normal" operating model, including relevant processes and procedures
- Review resource and budget planning to aligned to the altered risk profile
- Identify and manage new costs for security tools, licenses or services
- Rapidly evaluate and implement new or enhanced security tools to address vulnerabilities
What to Prioritize
- Capabilities assessment to support 'new normal'
- Automation, analytics and action plans for compliance and identity access management
- Security role in business / IT re-entry plans
- Issue management triage
- Periodic pen testing to confirm remediation
- Revisit control framework based upon workforce changes and re-entry approach
- Cyber threat resiliency, planning and testing
- Incident response playbook alignment with new workforce operating models
- Policy exception tracking and communication
- Reassess and/or consider new managed security solutions given the planned ‘new normal’
New Normal
- Identify top business priorities in the "new normal" and align and deploy strategies to enable long-term security resiliency
- Consider conducting future contingency studies and identify ways the organization can be better prepared for the next "extreme but plausible" event
- Review expected ROI from initiatives and adjust plans accordingly
- Review and revise vendor contracts to better align to the "new normal"
What to Prioritize
- Review updated security plan and budget, and report on current state of 'new normal'for ongoing approval
- Update and expand security and resilience plans for future, large scale disruptions
- Cloud investments for greater efficiency
- Programmatic approach to pen testing
- Risk-based approach to maximize testing ROI
- Compliance plan to meet regulatory requirements
- Enhance cyber resilience testing program
- Full-scale managed security services, prioritizing Managed Detect and Respond and Incident Response
Relevant Experience & Credentials
Energy Services Company
Fortune 500 Property & Casualty Insurer
Global Retailer – Essential Business
Top Chicago Bank
Energy Services Company
Single-Sign On (SSO) with Multi-Factor Authentication (MFA) for Remote Users
This large family-owned bakery was already enabling SSO for access to a variety of business applications, but needed help accelerating their plan's rollout capability for remote end users, in particular with the deployment of multi-factor authentication to increase security of the system access.
Incident Response
This client suffered a ransomware attack that disabled its global server environment. Returning to normal operations quickly was critical to minimize financial and operational impact.
Cyber Program Management
This global risk management firm required support with general, program wide management, enabling its staff to assess and operationalize various parts of its cyber program, including burstable resourcing to help quickly leverage SMEs across all cyber program domains.
Value Delivered
- Quickly enabled multi-factor authentication (MFA) using Okta Verify for employees connecting to business applications from personal devices
- Integrated a critical business portal with Okta for SSO for all employees.
- Automated the provisioning of new user accounts through SailPoint for users that traditionally did not receive Active Directory accounts."
- "Provided direct investigation, containment and ongoing cybersecurity monitoring.
- Advised client at the board level, C-suite and external counsel
- Delivered a roadmap for security enhancements during return to normal operations"
- "Provided an experienced program manager to help track and manage all strategic cyber projects; created a dashboard for ongoing tracking and status updates
- Developed a prioritized list of cyber risks (FAIR) and tied it to current and future cyber maturity initiatives
- Helped refine first- and third-party and M&A assessment processes; provided staff to conduct tactical assessment activities
- Provided strategic guidance and advice to the newly appointed CISO Helped shape cyber strategy, develop operational metrics and leverage SMEs to aid in decision making"
The Evolving Role of the CFO
Key Challenges
Respond
- Address employee safety and engagement while ensuring core service availability and maintenance
- Confirm priority of new and existing critical business projects and redeploy resources accordingly to bring new capabilities and enhance existing technology
- Enable flexible workforce solutions to meet increased demand for services and transactions
- Enhance security and response to address key risks
What to Prioritize
- Variable workforce models
- Delivery from Client, Protiviti, or remote locations
- Operational resilience plan
- Close checklist automation for financial statement and results impact disclosure
- Cashflow projections and stress tests impacting liquidity
Plan & Control
- Maintenance and quality of financial reports and internal controls
- Review security risks and address gaps
- Address resourcing, logistics, revenue cycle and supply chain disruptions
- Improve crisis management functions
- Enhance tools and oversight of work from home while preparing for workplace return
What to Prioritize
- Design solutions, create and manage project plans
- Implementation of collaboration tools
- Assess and address staffing needs
- Create real-time analytics and reporting
- Enhance or substitute Management Review Controls (MRCs) / governance
- Control design and implementation for new programs
- Financial reporting and accounting advisory
- Supply chain / cost reduction analyses
- Information security risk assessments and monitoring
Optimize & Fix
- Fix broken processes identified earlier while implementing automation to drive efficiencies for close process, reporting and resource models.
- Implement robust data and process analysis tools and address ERP systems for changing data needs.
- Drive employee motivation and innovation in alignment with business needs
- Ensure appropriate governance for all new tools and processes
What to Prioritize
- Implementation of Intelligent Process Automation Solutions (i.e. Robotics, AI, OCR)
- End-to-end process mapping using process mining tools / other automated solutions
- Strategy, design and implementation of Record-to-Report tools
- Design thinking for innovation and optimal solutions
- Financial planning and analysis automation
New Normal
- Identify top priorities in the post-COVID environment
- Study and plan for contingencies and crisis management
- Address reporting requirements including potential accounting delay pronouncements
- Drive efficiency through real estate, enhanced automation and workforce deployment
What to Prioritize
- Program management and resource support to deploy existing resilience plans
- Develop strategy and project plans for next phases of the crisis, including target operating models
- Capture results in real time to inform afteraction efforts
- Information security and resiliency planning and testing
Relevant Experience & Credentials
Large International Consumer Goods Co
Large Regional Healthcare Provider
Fortune 25 Healthcare Company
Oilfield Services Company
Large International Manufacturer
Large Retail and Apparel Manufacturing Co.
Large International Insurance Co.
Fortune 100 Technology Company
$1bn Technology Services Provider
$1bn Industrial Services Provider
Top 5 U.S. Bank
Healthcare Resource Usage
Large International Consumer Goods Co
Employee Furloughs and Corporate Restructuring
In response to adjusted revenue forecasts, this company announced furloughs, four-day work weeks and layoffs of 1,000 employees. The reduced workforce entering quarter close put a significant strain on the company’s internal controls over its financial reporting and SOX compliance programs.
Value Delivered
- Provided transition training for the re-assignment of all control activities impacted by the layoffs. This assured control compliance through the quarter.
- Executed quarter-end analytics activities to support significant estimates and judgements within the 10-Q.
The Evolving Role of the CAE
Key Challenges
Respond
- Ensure maintenance of effective control execution and determine additional ways internal audit can support the business.
- Reassess risks to refocus the audit program on COVID-19 processes and emerging risks, and inform stakeholders of changes.
- Adapt internal audit to remote work.
What to Prioritize
- Provide remote resources and SMEs
- Refresh risk assessment
- Train clients on controls hygiene
- Review user access provisioning in light of furloughs and new roles/privileges for segregation of duties and timely removals of terminations
- Conduct Design Thinking session to identify most critical areas of focus
Plan & Control
- Identify opportunities to implement agile in the audit methodology
- Refocus the audit plan to address new and emerging risks
- Define how controls can be executed in a different way and increase focus on fraud monitoring
- Address the tools, processes and oversight needed to allow for effective work from home arrangements
What to Prioritize
- Design and implement Agile methodology into the audit process
- Enhance usage of existing tools such as MS Teams and SharePoint
- Conduct cybersecurity audit to evaluate risks of remote work
- Evaluate third party suppliers’ security capabilities, fraud and operational resilience
- Publish and coordinate security and fraud awareness training
- Develop operating procedures and training for new IA processes
Optimize & Fix
- Refresh the risk assessment to account for changes to risks and the business throughout the year
- Enhance ability to effectively visualize testing and data analyses
- Review and refresh the fraud risk assessment
- Review the internal audit resourcing and culture to identify enhancements
What to Prioritize
- Implement tools to enable Dynamic Risk Assessment
- Implement tools to enable real-time Dynamic Reporting and data visualization tools on audit results utilizing tools such as Tableau, PowerBI
- Implement Advanced Analytics tools to provide deeper insights into the areas under audit
- Conduct fraud risk assessment
- Establish Continuous Monitoring of process controls
- Develop Aligned Assurance approach
New Normal
- Identify and implement improvements to the organization's and internal audit's operational resiliency plans
- Address control breakdowns resulting from the pandemic
- Identify and implement the technologies and tools to operate as a NextGen internal audit function
- Consider how to implement more automated testing
- Re-evaluate the risk assessment for high impact/low likelihood items and adjust to ensure coverage
- Ensure effective internal audit governance for the "new normal"
What to Prioritize
- Use Process Mining to gain insights into the path of transactions and identify deviations from desired control activities
- Develop RPA scripts to automate repetitive work paper setup and conduct testing
- Run automated SOD analyzer tools such as FastPath or SAP Assure on a periodic basis
- Review operational resiliency plans retrospectively to identify opportunities
- Conduct Next Gen IA maturity diagnostic and develop transformation strategy for IA
- Implement Resource Management tools and supporting technology for the IA function
Relevant Experience & Credentials
Design Thinking - GSK
Celonis Process Mining–Global Beauty Brand
Next-Gen Assessment - Healthcare
Fraud Risk Identification Framework - Top 10 Semiconductor Foundry
Internal Audit Uplift and Fortune 100 Readiness - Salesforce
RPA - Managed Care Organization
Agile IA Consulting - US County
IA Support: Accounts Payable (AP) Analytics - An American Coffee Company
Design Thinking - GSK
We facilitated design thinking sessions to help the client define their strategic vision and organizational structure as they navigated through an internal audit transformation.
Value Delivered
- Prioritized, by difficulty and importance, the key actions needed to define strategic vision and organizational structure.
- Created a roadmap to achieve the future state of Internal Audit.
The Evolving Role of the CAE - SOX
Key Challenges
Respond
- Adapt to remote work and ensure owners are supported in updating controls to reflect the new reality.
- Ensure control execution and corresponding evidence is maintained
- Reassess SOX scope and materiality.
- Increase focus on fraud monitoring
What to Prioritize
- Variable workforce models
- Delivery from client, Protiviti, or remote locations
- Update SOX risk assessment
- Client training on controls hygiene
- Client training on remote working implications to SOX compliance
- Review user access provisioning in light of furloughs and new roles/privileges for segregation of duties and timely removals of terminations
Plan & Control
- Identify and implement tools, processes and oversight needed to allow for effective work from home arrangements
- Define how controls can be executed in a different way
- Ensure sufficient evidence is retained so that controls will pass SOX design and operating effectiveness tests
- Define the need to document and test new business units, levels of precision or processes due to changes in materiality
What to Prioritize
- Enhance usage of existing tools such as MS Teams and SharePoint
- Identify and inventory controls that have been modified due to the pandemic
- Engage and educate process owners to alert them to potential pitfalls they will encounter due to remote work and control changes
- Document and design controls for new inscope areas
Optimize & Fix
- Identify and communicate reports that will be delayed or otherwise impacted due to the pandemic
- Refresh the organizations fraud risk assessment
- Review and implement updates to process documentation for revised controls
- Review and refresh the SOX risk assessment to account for changes in materiality
What to Prioritize
- Conduct fraud risk assessment
- Perform testing of new/revised controls
- Map CEUC from SOC reports to management’s controls
New Normal
- Identify and implement automated controls opportunities
- Consider software tools that can be implemented to support evidencing controls
- Identify and remediate control breakdowns resulting from the pandemic
- Review regulatory requirement changes and shifts and revise timelines and strategies accordingly
What to Prioritize
- Implement software tools to support internal controls evidencing
- Benchmark the SOX program against the 2020 SOX Survey by revenue, filer status, industry or number of locations
- Implement SOX documentation and testing tool
Relevant Experience & Credentials
Fraud Risk Assessment Methodology - Global Air Travel Community Member
SOX Program Management – Technology, Media and Telecommunications
AuditBoard Implementation – Global Manufacturer
Controls Rationalization Review – Fortune 500 Corrugated Packaging Manufacturer
RPA- Professional Services
Fraud Risk Assessment Methodology - Global Air Travel Community Member
The client required a repeatable fraud risk assessment methodology to identify and prioritize potential vulnerabilities to fraud that could result in a material misstatement of the company’s financial statements.
Value Delivered
- Developed a COSO-based Fraud Risk Management Program Questionnaire for management to assess its entity-level fraud controls.
- Created a customized list of over 50 fraud scenarios for in-scope processes.
- Facilitated a fraud risk brainstorming session with the CAE and Internal Audit Team to obtain inherent risk ratings.
- Mapped internal controls to fraud scenarios and documented results in a fraud risk and controls matrix ("Fraud RCM").