Assessing Risk in a Pandemic

Paul Phillips
Author: Paul Phillips, CISA, CISM, CDPSE
Date Published: 9 December 2020

To effectively assess risk in a pandemic, leaders need to focus on the risk at hand, the associated right metrics, and evaluate all elements of risk: impact, likelihood and velocity. Management must evaluate how quickly the organization may experience risk and what potential impact it may have on people, assets, operations, supply chain and profits.

Digital risk is the likelihood that a given threat will exploit a vulnerability resulting from digital transformation and the implementation of related technologies. Related risk that is impacted includes cybersecurity risk, third-party risk, business continuity risk and data privacy risk, all of which contributes to the uncertainty of achieving business objectives.

The ongoing pandemic has led to rapid and unexpected change in all aspects of life – our homes, relationships, work and every industry sector. Companies have had to modify processes and procedures, and quickly adapt to emerging technologies in some cases.

There have been a number of apps that have emerged in recent years, including health-related apps to support remote healthcare. This includes contact tracing for COVID-19, and it is fair to say this trend will continue. However, like any other digital solution, there are inherent risk that must be identified, assessed, analyzed and responded to as these tools continue to emerge.

As new processes and technology emerges to accommodate the “new normal,” companies should keep their eyes on the laws of the land. In recent years there have been quite a few privacy regulations enacted. Many of these tools that have been created address a business need, but in doing so, there are new considerations around processing, transmitting, and storing company and personal data, especially as it relates to contact tracing apps, but also to wearable recording devices worn by law enforcement and other agencies. Therefore, companies must consider the risk of non-compliance as they move along the digital transformation continuum. HIPAA, GDPR, PCI, FERPA, and the CCPA are just some of the regulations that require compliance even as transformation takes place during a pandemic.

Digital tools have the ability to help employers get staff back to work, thereby increasing or at least maintaining or restoring productivity. However, these digital tools also have inherent risks that may be overlooked, especially when there is pressure to implement them quickly. Therefore, it is for employers to consider the risks and how to appropriately respond to them. The appropriate countermeasures should be instituted to mitigate risks, but that is only one aspect of responding to risk. Management may decide to accept risk associated with emerging digital technologies, but should only do so based on a risk assessment and according to the company’s risk appetite.

So, how do you keep risk management on track to protect the company’s assets and its ability to meet business objectives during an unexpected major event such as a pandemic? Risk management requires working with company leaders to adapt quickly to current events. This means focusing on the risk basics – identifying, assessing, prioritizing, responding to, monitoring and reporting risk.

Editor’s note:
Find out more about ISACA’s new IT Risk Fundamentals Certificate.