Sea Change in Risk Culture: Addressing WFH Risk Through the Lens of Banking

Until a few months ago, no one would have believed that large swaths of the workforce would be doing nearly everything from within the four walls of their homes, including, for example, the most complex banking transactions and other financial activities that normally involve walking into a bank branch office. However, since the outbreak of COVID-19, that is the reality, and many individuals and organizations have adjusted, recalibrated and adapted to this “new normal.” Individuals have embraced working from home, at their own convenience, and they have accepted the restrictions in their movements and the paucity of facilities available in this crisis situation. The pandemic has led to a steep rise in unemployment and pay cuts, setting back the careers of many. Enterprises have had to continue to pay hefty rents, utility bills and maintenance services for well-polished but largely empty offices; institute hiring freezes; and cut costs on business events to somehow make up for their loss of income.

The pandemic has brought about a renaissance period that will have a long-lasting if not permanent impact on businesses, sectors and industries. According to the World Bank, even the most advanced economies will face the deepest recession since the 1990s. There will be an overall 8 percent shrinkage in global growth in 2020 due to the huge toll on human capital, restricted travel, health systems stressed beyond capacity and patchy remittances and mounting debts in the face of reduced income.¹ However frightening this reality may be, the first step toward acceptance is to acknowledge that there will be a change in the way enterprises work going forward.

Take, as a case in point, the banking industry which is at the forefront of any developing or developed economy. The different kinds of risk inherent in banking activities will have different magnitudes and levels now that so many of them are performed remotely. There will be an unprecedented shift in “risk culture,” which can be defined as the ethics and values that people within an enterprise adopt when performing even the smallest task with the resources at hand, which can affect the enterprise in any manner in the present or future.

Any organizational transformation is based on three critical elements: people, process and technology. Meeting these minimum requirements and ensuring a good balance among them are of the utmost importance for the efficiency of any enterprise. Risk culture is the string that holds them all together, and its strength defines the relationship among the three critical elements. The following discussion of risk culture focuses on operational risk using the banking industry as an example.

Strengthening the People Factor

Global Workplace Analytics conducted a survey in early 2020 related to the work-from-home (WFH) experience. Nearly 3,000 employees globally responded to the survey. Sixty-eight percent said they were successfully working from home. Before the pandemic, 88 percent had worked from home more than once a week, and 67 percent had not worked remotely on a regular basis. Seventy-six percent of respondents said they want to continue to work from home, and 70 percent of managers reported satisfactory (same or better results) of employees working from home.² Although this looks positive, what cannot be overlooked is that the most important factor of risk culture is people.

The people who work in banks formulate plans, develop strategies, make decisions, perform tasks, write policies, acquire technologies and do everything necessary for the bank’s growth. They drive the banks. Their mindset, combined with business objectives and strategies on how to achieve them, defines the strength of the risk culture.

Working remotely has some advantages, but it also puts people’s attitudes to the test. In an office setting, people can generally walk over to a colleague’s desk or drop by the boss’s office; they can consult co-workers at the water cooler or over coffee, asking their opinion or getting clarity or concurrence on issues.

When everyone is working from home, there is no visibility—there is no way to gauge a person’s availability, workload or mood—and no technology can take the place of in-person meetings and the connections made there to enhance collaboration, creativity and innovation. This lack of visibility can lead to two types of situational crisis: an unpleasant interaction because it takes place at a bad time for one of the parties, or a hasty decision made without input from others, due to time or other constraints. Multiple iterations of the former situation can permanently damage an otherwise healthy relationship between employees. Repetition of the latter situation can cause material losses to the enterprise or expose it to risk.

Working from home can also hamper discipline and increase procrastination given the many distractions. If this is not addressed, an employee’s performance and efficiency can suffer, accounting for missed deadlines, postponed assessments and decisions, and delayed product or service launches, which can, ultimately, impact the business. As a result, the daily to-do list may keep ballooning, affecting the employee’s quality of work. Degraded performance and poor efficiency can be an obstacle to success, and the increase in unsupervised or minimally supervised activities can reduce confidence in the quality of these activities.

WORKING REMOTELY HAS SOME ADVANTAGES, BUT IT ALSO PUTS PEOPLE’S ATTITUDES TO THE TEST.

Taking the following steps can address these potential negative aspects of WFH:

• Strategize—Identify the types of work performed in all units and determine the need for employees’ physical presence in the office vs. the ability to WFH. Then develop a road map with clearly defined objectives for a WFH program.
• Build strong WFH policies—Clearly set rules for working from home. The International Organization for Standardization (ISO) standard ISO 27001 mentions the security of teleworking, which may not be strong enough in all enterprises.³
• Devise emergency and safety measures—Set up and implement all fundamental emergency and safety measures at the office, where a portion of staff may be working. These may need to change as the situation unfolds.
• Encourage communication—Enable regular audio and video meetings among team members to keep everyone abreast of ongoing projects and tasks at hand, to brainstorm and discuss new ideas, and to make important decisions together.
• Investigate new workspaces—Look for low- budget but healthy workspaces for employees that would reduce the amount of money spent on leased office space while giving teams a place to collaborate and follow all safety measures.
• Communicate from the top—A strong commitment from leadership regarding healthy and efficient work habits and endorsement of risk culture is important. In addition, empathy and assurance about possible outcomes can inculcate ethical job performance where physical supervision is not possible.
• Reduce errors—Having a risk-gauging mindset can reduce the possibility of mistakes by employees. Emphasizing the criticality of employees’ jobs is more important than ever, especially for employees performing banking operations and financial activities.
• Review critical tasks—Have an additional layer of review for critical tasks that are performed manually by employees working from home.
• Back up work—Evaluate critical employees and single points of failure and arrange for backups.
• Anticipate problems—Identify tasks that are difficult or risky to perform remotely and build workarounds.
• Add a second line of defense—Risk management teams define and govern metrics (key risk indicators [KRIs]) covering the critical parameters of banking functions and processes. Add more WFH factors in these indicators—for example, the number of staff working from home but visiting the office for any reason, the number of staff processing transactions from home, the number of staff taking maximum deviation approvals for processing due to the pandemic.

LIKE MANY OTHERS, PROCESS OWNERS MAY BE PUT IN A WFH SITUATION AND BE UNSURE ABOUT HOW TO CARRY ON BANKING TRANSACTIONS AND OTHER ACTIVITIES WITHOUT MUCH CUSTOMER CONTACT.

Managing and Implementing Process Changes

In the banking industry, the amount of banking currently being done from home is the largest in the history of the sector. Hence, it is quite natural that no one has figured out the “how” of it. Banks may be required to amend some of their existing procedures or create new ones to perform daily tasks in a new manner. There are challenges at all levels, such as collaborating among different teams, complying with regulatory requirements while keeping the business up and running as usual in changed circumstances, and obtaining the necessary reviews and approvals from relevant functions working in isolation at home. Like many others, process owners may be put in a WFH situation and be unsure about how to carry on banking transactions and other activities without much customer contact. Customers may be unable to submit the necessary documents or fulfill the requirements for processing a high-priority transaction or completing an urgent deal, increasing the pressure on operations staff. The ethical dilemma of maintaining customer relationships while complying with organizational policies and regulatory requirements is intensified during this period. The following tasks can help address these challenges:

• Identify all processes that need to be changed, and map those changes with the bank’s policies and regulatory circulars and announcements. Follow the same procedure for all new processes introduced.
• Pass all the changes through the risk management team to obtain insight on any new risk factors inherent in the changes, in addition to those existing in the original process. Follow the same procedure for all new processes introduced.
• Ensure that any documents for transaction processing that are received by email follow all the baseline security controls and mechanisms.
• Ensure that physical documents are received to back up the soft copies received by email at a date agreed on with the customers, as and where applicable.
• Recognize that the audit function has an increased responsibility to review all changed and new processes, and ensure they are working as expected and all the necessary controls are in place to mitigate risk.
• Add new KRIs, such as the number of process changes introduced in a month, the number of changes that may need to be reversed, and the number of processes or process deviations put into practice without approvals.

Ensuring Technology Security

Technology has become increasingly important in the banking industry in the last two decades. It is thanks to technology that even in today’s WFH environment, banking has been able to continue to function, largely carrying on business as usual. However, technology involves many risk factors, even in normal situations. Remote working adds to that risk, as the WFH situation has led to the at-home use of many critical applications and systems. This represents a golden opportunity for cyberattackers and hackers. The biggest challenge is to maintain the highest level of security on banking systems and networks. Another challenge is to protect banking and customer data during the entire life cycle—origination, rest, motion, use and destruction.

A bank’s virtual private network (VPN) may be strong, but the public or private networks that employees use to connect to it may not be as secure. These networks may be connected to a host of other devices that can expose the bank’s devices (laptops or desktops) to malware or possibly cyberattacks. The strength of such home networks is another issue that may cause a disruption in work. For example, what if a laptop or desktop provided to an employee is not being updated with the latest patches and antivirus versions due to network slowness? When these devices connect to the bank’s VPN, they may expose the bank’s network to threats. Completing the following tasks can help manage these risk factors:

• Have all critical systems on secure technologies, such as virtual desktop infrastructure (VDI), and provide access only on a need-to-know and need-to-do basis—the basics of information security.
• Increase the frequency, scrutiny and diligence in firewall rule configuration reviews.
• Keep tabs on devices that are not getting daily antivirus updates and the latest patches.
• Spending more time on business continuity planning (BCP)/disaster recovery (DR) policies and procedures.
• Conduct BCP/DR drills and tabletop exercises regularly, and implement the lessons learned to take immediate effect.
• Have IT services and help-desk personnel, especially if outsourced, respond promptly to service calls. Employees trying to solve major IT issues in bank-provided systems on their own can be dangerous.
• Implement secure videoconferencing and teleconferencing technologies with proper updates and well-managed licenses—basic requirements for the WFH world.
• Secure data by all possible ways and means. Put data loss prevention (DLP) systems on high vigilance mode.
• Add new KRIs, such as the number of systems not receiving antivirus updates, the number of data leakage prevention alerts, the trend of information security incidents, the number of technology changes related to WFH, and the number of VDI or critical systems access provided.

HAVING A STRONG RISK MINDSET MEANS ALWAYS THINKING ABOUT WHAT CAN GO WRONG AND HOW IT WILL IMPACT THE BANK.

The Risk Mindset

Having a strong risk mindset means always thinking about what can go wrong and how it will impact the bank or any enterprise—from an important new product launch to a mundane activity such as data entry. To inculcate a sense of risk in people, test their reactions to hypothetical scenarios or real case studies and include the following three steps:

1. Identify and analyze risk—What is the process? What can go wrong with it?
2. Assess and act on risk—What should be done if something goes wrong? Who should be contacted? What are the primary measures to correct what has gone wrong? What are the long-term measures? How and how soon can those measures be implemented?
3. Monitor and mitigate risk—What steps can be taken to prevent the recurrence of such events? How can such events be monitored?

Conclusion

Difficult times have taught banks and other enterprises the importance of taking an all-around view of what can go wrong and what the impact will be on the organization’s reputation, financial position, and physical and logical security. Risk culture has to be a habit that applies whether working in an office or remotely. If it is, banks and enterprises ready to embrace the cultural shift coming their way.

Endnotes

¹ The World Bank, “The Global Economic Outlook During the COVID-19 Pandemic: A Changed World,” 8 June 2020, https://www.worldbank.org/en/news/feature/2020/06/08/the-global-economic-outlook-during-the-covid-19-pandemic-a-changed-world.
² Global Workplace Analytics (GWA), Work From Home Experience Survey Results, USA, 2020, https://globalworkplaceanalytics.com/global-work-from-home-experience%20survey#:~:text=Here%20are%20the%20top%20findings,home%20%20(68%25%20globally).&text=3)%20People%20feel%20they%20perform,more%20satisfied%20%20collaborating%20in%20person
³ Leal, R.; “How to Apply Information Security Controls in Teleworking According to ISO 27001,” 27001 Academy, 22 March 2017, https://advisera.com/27001academy/blog/2017/03/22/how-to-apply-information-security-controls-in-teleworking-according-to-iso-27001/

Sumedha Adavade, CISA

Is an operational risk manager with DBS Bank. She has more than 13 years of experience in risk and compliance, audit, and information security, providing risk-mitigating solutions and assurance to banks and other financial institutions.