Risk Management Strategy in an Economic Downturn: How to Take a Holistic Approach to GRC
2024-2-27 23:0:0 Author: securityboulevard.com(查看原文) 阅读量:6 收藏

Economic uncertainty has been a hot topic for all businesses lately. The good news: the US economy might have avoided a recession, and rising interest rates haven’t slowed economic growth. However, bad times always arrive sooner or later, and a wise compliance officer knows that you should build a compliance program that can handle that day when it comes.

That’s a nice theory, at least. So, how can a compliance officer anticipate an economic downturn in practice, and make sure your program perseveres through that ordeal?

Compliance officers can begin by appreciating the predicament their company faces during a downturn; while budget freezes and cutbacks might be necessary, they are nothing personal against you and your team. They’re just financial reality.

Then comes a bit of strategic thinking: if the company is in tough financial straits, what will it need to do to reverse those fortunes? And, therefore, what could the compliance team do to help with those new objectives? 

Actually, compliance officers can do quite a lot. Let’s walk through all those challenges in turn.

The role of risk management strategy in economic downturns

To help your company (and to preserve your compliance program) during an economic downturn, let’s first remember what an economic downturn is. 

Fundamentally, a downturn is a decline in demand for your products or services. The precise cause of that decline isn’t important to us here. Maybe it’s an issue specific to your industry, or maybe it’s a decline in the general economy overall. Either way, less demand means there’s less money coming through the door. That, in turn, means less money to spend on employees, sales, product development, other operations, and so forth. 

Compliance officers must appreciate that point because it helps us understand how businesses behave during an economic downturn. First, they implement controls over their spending so they don’t risk sudden financial collapse. Then they look for new ways to grow — bringing new demand through the door, with new products, services, customers, or some other strategic move.

As chief compliance officer, your job is to understand how both phases will affect your company’s compliance posture. Then, work to ensure that your program can keep pace with whatever new risks arise from them.

For example, less spending in the first phase might mean cuts to your training budget or using legacy systems longer than you’d like. Finding new growth paths in the second phase might mean new types of transactions with customers or new third-party relationships. Any of that might challenge your compliance program — but if you experience a compliance failure, regulators won’t care. There is no “But our budget was cut!” defense. 

That is the rocky path compliance officers need to tread during a downturn.

Surviving when times are tight

In the first phase of a downturn, cost control is the priority. That might take the form of travel freezes, hiring freezes, or layoffs; long-planned technology upgrades might be postponed until further notice. Any discretionary spending could be subject to swift, severe restrictions.

What should the compliance officer do, then? Several things.

1. Find ways to optimize business processes

For example, you might need to re-assign some duties from multiple people to one person or deliver training online instead of in person. You might re-assign duties to reduce reliance on expensive software. Regardless of the specifics, the point here is to look for efficiencies that will help to cut costs.

2. Test new configurations for new weaknesses

Layoffs and other large-scale restructurings are blunt-force instruments and can introduce new complications that will need attention. For example, say you have a control that requires two people to approve an activity, and suddenly, those roles are consolidated into one person. How does the control function, then? Even as you streamline business processes (see above), you’ll need to test those newly optimized processes for potential new weaknesses.

3. Consolidate third-party vendors

This is a time-honored way to cut costs and one of the many reasons why vendor risk management is always a good idea. Identify those vendors that provide duplicative services, and see whether you can cut spending with those you depend on less. 

4. Keep thinking about employees

Engage with employees clearly and honestly about the economic situation and involve them in cost-saving initiatives. Even during a downturn, retaining skilled and motivated staff is essential for maintaining productivity and competitiveness.

As cliché as it may sound, the goal in all of this is to do more with less until the company finds its footing in the downturn. That means looking for ways to cut costs and watching the implications of those cuts to be sure they don’t introduce new problems that slip your notice. 

GRC as your company turns around

At some point (hopefully sooner rather than later), the immediate bleeding of the downturn ends and management starts to look for new ways to find growth. You’ve probably seen how that happens at a high level: new management arrives and embarks on new strategic goals for the company, such as shifting into new products or targeting new customers. In extreme cases, your company might acquire or merge with another. 

Regardless of the exact reboot your senior management team might try, regulatory compliance obligations — and the risks of a compliance failure — will still loom large. Your GRC program needs to anticipate that fact. That means your program should be robust in several practical capabilities that will be important as the company finds its new growth path.

Risk assessment

As management develops new plans, you’ll need to assess the compliance risks that could arise as those plans are executed. For example, the company might decide to pursue customers in the healthcare sector for the first time, bringing a boatload of privacy obligations and other security-related duties. Or the company might want to cut IT infrastructure costs by using more cloud-based providers. Fine, but someone needs to assess the security and availability of those providers. 

Your GRC program will need the ability to pivot quickly so that you can assess and identify potential new risks as the company tries new growth strategies.

Control mapping

This is the next logical step after risk assessment. As the company tries new strategies — “We’ll become a government contractor!” for example — your GRC system will need to identify the new compliance obligations that flow from those moves (such as compliance with the government’s FedRAMP or CMMC frameworks). The more you can map your existing controls to those new obligations, and the more you can rationalize controls so that one process serves multiple demands, the better.

Disaster planning

A wise company should always have disaster recovery plans written and tested, but disaster planning becomes even more critical during times of economic uncertainty. You may have gone through layoffs, eliminating personnel who’d play important roles in a disaster, or you may have branched into new growth areas and picked up new disaster recovery duties, such as notifying certain regulators of the incident. 

Either way, discovering that you’ve missed a step in disaster recovery during the actual disaster is not good. You’ll need to match your disaster plan to the company’s new business strategies, encompassing everything from workforce issues to disclosure obligations to emergency plans for replacement vendors.

Governance

For all our talk of specific GRC program capabilities, remember the human oversight that also needs to happen. In the ideal world, the chief compliance officer should be part of whatever planning senior management does to implement cost cuts or new growth programs so that you can amend your GRC program as those changes happen — rather than be caught by surprise and left scrambling. 

Likewise, the CCO should keep talking with business unit leaders about the compliance risks stemming from restructuring programs, new product launches, and more. For years, compliance gurus have stressed the importance of compliance officers being “in the room” as executive management maps out its plan to conquer the world. That point still holds even when the company is retrenching and figuring out a new risk management strategy for conquest.

Navigate economic downturns with integrated governance, risk, and compliance software

One more cliché: this too shall pass. All economic downturns end eventually. The objective for compliance officers is to weather the downturn’s consequences until it passes and steady growth returns.  

That partly means doing more with less — but even more important, it’s about having a flexible GRC program that can pivot and adapt to changing circumstances. At first, those circumstances might be harsh. Later, they might be surprised as the company wanders down unexpected paths to profitable ventures. Throughout that journey, success will depend on how well you use technology and people to anticipate new risks before they strike.

To effectively navigate economic downturns and ensure your compliance program consistently adapts to changing circumstances, it’s crucial to leverage the right tools. Hyperproof offers a comprehensive governance, risk, and compliance software solution that empowers you to anticipate and mitigate new risks. Request a demo of Hyperproof today and see how it can enhance your compliance program’s resilience and effectiveness.

The post Risk Management Strategy in an Economic Downturn: How to Take a Holistic Approach to GRC appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Matt Kelly. Read the original post at: https://hyperproof.io/resource/risk-management-strategy-in-economic-downturn/


文章来源: https://securityboulevard.com/2024/02/risk-management-strategy-in-an-economic-downturn-how-to-take-a-holistic-approach-to-grc/
如有侵权请联系:admin#unsafe.sh