Business Continuity Plans (BCPs) are funny things.

At their most basic, BCPs are the real-world response to the old “Hope for the best, Plan for the worst” adage.  It’s honest recognition that being stuck between a rock and hard place is better with a hammer, albeit with no guarantee that the hammer is big or small enough to be helpful.

Nonetheless, a well-conceived BCP provides peace of mind, like insurance does, with the added satisfaction that only authorship (or ownership?) brings.  The rub, of course, is that every BCP is, at the end of the day, still just a plan.  As boxer, actor, felon, playwright and corporate strategist ’Iron‘ Mike Tyson once famously said, “Everyone has a plan until they get punched in the mouth.”

Indeed.  Because sometimes pipes break in the 2^nd floor ceiling of your office and leak antifreeze everywhere.  And because, other times, there’s COVID-19.

The benefit of having a BCP plan in place to manage either situation is that, well, there is at least a plan.  And despite what Kid Dynamite says, the real truth is that any company with a plan retains, at the very least, a fighting chance to get back up after they’ve been hit.

For Lowers Risk Group, like many others, COVID hit our industry, our business – our people.  We were fortunate, though: our Business Continuity Plan was 5 years in the making.  It didn’t matter, until it did.

Back in 2015, CTO David Lowers, Chief Security Officer Joe Labrozzi and Director of IT and Security Chris Sosnoski recognized the need for our growing staff to have partially, if not fully, remote capabilities.  What was initially driven by space concerns evolved with the access to and the ability of new technology to support fully secure, remote work that reduced cost, increased efficiency and enabled greater flexibility that could support new business opportunities within Lowers Risk Group.  With this foundation in place, Lowers, Sosnoski and Labrozzi were able to take the organization’s global footprint of over 550 people (spread over 3 continents) to fully remote in less than 2 weeks with zero business interruption when COVID hit.

And though Facilities might disagree, being fully remote due to COVID made the impact of that leaky pipe one less headache to manage when stress levels are already elevated.

We asked Labrozzi and Sosnoski to tell #OurStory of transition to a fully remote work environment.  We asked them what made it possible and to share a few insights that could help other organizations with the creation and implementation of their own BCPs to author their future resilience.  Below is a transcript of our conversation.

On behalf of the entire organization – thank you both for your efforts and keeping the organization on its feet as COVID hit.  How did your teams manage this transition?

Sosnoski
Our ability to go remote during COVID was strategic and began 5 years go.  Wholesale Screening Solutions, our largest division at Lowers Risk Group, was beginning to test our space limitations.  At that time, the VA HQ had about 400 people on-site.  Additionally, the Wholesale team recognized a need that they had to hire in different areas, not just in VA HQ.  We were tasked with how to support that, and it was clear we had to embrace the cloud.  Buy-in from David and other executive leadership there was the first step.

Labrozzi
What really drove the process was what was happening in Wholesale’s Georgia office, our first off-site campus.  We needed a base to get our people into the courts to do research.  That organically began to create resiliency in our operations – rather than rent out trailers, for example, in the event of something happening, our second location offered redundancies as technology matured.  As we gained more experience managing this remote location in GA from our VA HQ, we saw it was possible to have and manage a remote workforce while still doing secure work.  We then built a series of processes around this concept that laid the foundation for more remote work, and we’ve been working at that ever since.

Sosnoski
Right before COVID hit, for example, we launched phase 1 a Unified Communications as a Service (UCaaS) initiative with plans to roll-out Phases 2 and 3 in the coming months.  What would have been a much more measured roll-out was accelerated by COVID.  But, had we not been building towards that – not just with the UCaaS launch, but all the work leading up to the launch – it would not have been as easy or seamless.  However, we had our BCP in place and were able to activate it,.  Our teams stepped up and, again, the full support of leadership helped make it happen.

What were the steps you were taking to build that initial foundation over 5 years?

Sosnoski
The goal was always to keep the working experience as secure and as available as possible, so it was about taking small bites at the apple.  Exploring, testing, and implementing remote training, for example.  Cloud-based email.  Our UCaaS environment.  We were able to leverage cloud resources like Microsoft, Adobe, Salesforce, AWS and Zscaler to achieve this.

The complicating factor was the cost associated with it – we had to be willing and able to spend monthly on subscription services.  For a while, that was a barrier, but we continued to make the business case while moving from a hybrid environment to a cloud environment.  Transitioning the phone system to UCaaS, for example, was a two-and-a-half-year effort to make happen and now our teams are loving the flexibility it offers.  Our teams can do remote assessments and maintain contact with each other and clients easily.

How did you each manage the workload during the COVID transition to remote work?

Labrozzi
Teamwork.  At VA HQ, Chris and I have sat next to each other for years, so we have a great working relationship – that’s part of the culture at LRG, which is probably also a reason the transition was smooth.  But it’s about the quality of who you work with.  Chris’ IT team knows what needs to get done – they’re reliable and fast.  I focused on the human capital element, making sure that we were dealing effectively with any productivity concerns, making sure teams were staying connected.  We all operate from a leadership mindset and depend on each other to play our parts.

Sosnoski
The real risk in remote work is not technology, it’s management process.  My team trusts each other to get things done.  When COVID hit, we found a useful strategy was to use quick, daily stand-up meetings.  For the most part, these types of meetings continue in some capacity across all departments; I know upper management remains committed to finding one-on-one time for their direct reports.  Process is super important in all this, but equally so is everyone’s ability to do their job.

Any key takeaways to offer other organizations from your experience?

Sosnoski – I think there’s really three that worked for us:

• We started planning early and had already explored the risk environment, developed the processes that would provide us a path of least resistance to continuity and had leadership buy-in.
• We identified the right digital tools and had assessed, budgeted for and tested them as part of the plan strategically; having to do this during COVID would have been very difficult.
• We were all aligned on the work that had to be done to achieve the vision; for us that was finding a secure, scalable and available environment to perform our risk mitigation work.

Lowers Risk Group provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly regulated environments and organizations that value risk mitigation.  Our human capital and specialized industry enterprise risk management solutions protect people, brands, and profits from avoidable loss and harm.  With Lowers Risk Group you can expect a strategic, focused approach to risk assessment, compliance, and mitigation to help drive your organization forward with confidence.  Contact us.

As discussed in our most recent LinkedIn post, COVID 19 has forced companies to review and amend their operations top to bottom. And whether these changes are temporary or long-term, one thing is certain: the impact on both business and employee culture is permanent.

The best businesses right now are doing two things: 1) finding ways to stay open and 2) evaluating the future. And the best leaders of these businesses understand the value of employee training, especially in times like these: a safe, secure environment creates well-being for employees and customers, which enables more innovation with less interference. Given the current circumstances, employees want to be sure that their employer is looking out for them. The first step in achieving this (while also keeping the cash registers ringing so that your strategic plan has a future) begins with a wholistic understanding of the business risks. That is, surveying.

While traditional consulting and surveying is simply not plausible right now, recent advancements in technology and encrypted video have made virtual surveying a viable option.  For businesses considering a virtual survey, the team at Lowers & Associates has compiled a list of insights and considerations that may be helpful in your discovery process:

• The primary benefit of virtual surveying is that it can be conducted anytime, anywhere. With no travel, virtual surveying is one of the best ways forward-thinking businesses can control costs.
• Virtual surveys are less disruptive to the organization and provide quicker report-in-hand turn around. This can be a massive advantage for organizations pressed for time or with reduced staff capacity.
• Always a collaborative exercise and NEVER the “lesser of two evils,” virtual surveys can often provide deeper insights than those conducted in-person (sometimes business owners feel more at ease with a physical distance between themselves and the surveyor).
• Rapid advances in technology come with a learning curve. Leading risk mitigation consultants should be versed in a suite of technology applications to successfully execute a virtual survey.
• Information is information, right? Sort of.  Asking the right questions matters, knowing how to analyze the answers makes all the difference, and consistency is king.  Virtual or not, surveyors reviewing requested documentation and/or an audio/visual recording of the survey should be able to turn around the same exact results.
• Consistency is key in both business and surveying. Virtual surveyors should be able to hand over responsibilities to another surveyor if one should fall ill or become unavailable. Process can be both a businesses’ arrow and its Achilles Heel!
• Virtual surveying should include an ability to perform the following:
  • Pre- survey meetings
  • Staff competency and interviews
  • Reviews of:
    • Day to day operations
    • Site physical security
    • Insurance
    • Fiduciary Controls
    • Policy & Procedure
    • Vault construction
    • Crime and illegal activity (Local and Countrywide)
  • Facility Design Consultation
  • Follow up consultation meetings

Adaptation is crucial for businesses during this real-time reinvention of the workplace, and for 30 years, Lowers & Associates has pushed the boundaries of technology to keep those workplaces safe (this includes virtual surveying). #OurWork #Together has also always been collaborative, and so we encourage you to view and share the insights, stories and applicable tips that our team has been publishing at the Lowers & Associates LinkedIn page. If you have any questions, please contact us.

In our work in high risk industries, we routinely uncover fraud and asset misappropriations. While it may seem counterintuitive, with the US and global economy currently at a standstill due to COVID-19 shelter at home directives, organizations should be on high alert for occupational fraud during this time. The Fraud Triangle provides a framework for explaining why this is.

Formulated in 1953 by criminologist Donald Cressey, the Fraud Triangle theorizes that fraud occurs when the fraudster feels financial pressure, they are presented an opportunity, and/or the person can rationalize the theft.

With record numbers of Americans filing for unemployment and organizations operating with skeleton crews, the circumstances are ripe for fraud to take place.

A “Perfect Storm” of Conditions

Today, with organizations shut down to outside visitors (including, in some cases, outside auditors) as well as many employees, we are seeing a virtual petri dish for fraud. Two corners of the Fraud Triangle – opportunity and rationalization – are getting bent pretty hard. The third corner, incentive, in the form of extreme pressure, is bent even further. People have less supervision, more opportunity, and way more financial pressure.

So while you’re dealing with this pandemic and the resulting disruption, now more than ever is the time to be vigilant.

Opportunity

The coronavirus pandemic has driven unprecedented change in the workplace. Many employees are either laid off, have taken a pay cut, and/or are working remotely. Those who remain, whether at the workplace or from home, may be working with less supervision than before. In fact, we are seeing many instances where key risk management procedures like dual controls have been weakened or suspended entirely. For example, instead of having two or more employees independently evaluate and compare financial records, now only one employee may be responsible. Or, that supervisory signature normally required on certain transactions? It’s no longer practical given our remote locations, so we’ll just “do it this way” in the interim.

Sound familiar? The problem in these scenarios is that one small transgression that goes unnoticed has a way of snowballing into full-blown fraud.

Rationalization

When opportunity and incentive exist, people are better able to rationalize their fraudulent behavior. That couldn’t be more true than during this pandemic.  “I have to do this to provide for my family. I’ll pay it back later. My employer deserves it for laying me off.” These are some of the underlying rationalizations that turn a fraudster’s underlying thoughts into an actionable theft.

Incentive/Pressure

Financial difficulties are at the top of the list in terms of the pressures that can motivate people to commit acts of fraud. At no other time in modern history have so many people been under such financial strain as they are today.

At the highest of levels of unemployment following the 2008 financial crisis, there were 15.3 million jobless Americans. By the third week of April 2020, 26.5 million workers had filed jobless claims as a result of the coronavirus. An estimated 33 million people are currently unemployed, representing nearly 21 percent of the workforce and the highest unemployment level since 1934. Many who remain employed have agreed to accept pay cuts, work reduced hours, or take unpaid furloughs.

While the $2 trillion stimulus bill, Coronavirus Aid, Relief, and Economic Security Act (CARES), provided some short-term relief, it is likely not enough to stem the extreme financial worry being felt by many who don’t know how they’ll pay next month’s mortgage or cover their car insurance premium.

The pressure is extreme.

The Takeaway? Stay Vigilant

It may be tempting for organizations to be complacent when the world seems at a standstill, but the time to be diligent is now. Businesses should be on “high alert” and taking measures to ensure they’re keeping their operations secure. That includes double checking that access to IT systems and software has been blocked for furloughed employees or that virtual private networks (VPNs) have been created for remote workers. Internal controls should also remain in place, even if they have to be modified temporarily. For example, regularly scheduled phone calls or video conferences send the message that you’re still monitoring employees’ activities. Finally, if you haven’t already done so, it’s a good time to do an updated risk assessment for the entire organization. Asking your team where new vulnerabilities might exist, whether internal controls are still functioning as intended, and what gaps have been created are all part of mitigating the risk potential associated with the Fraud Triangle.

If you’d like help conducting any of these assessments, please reach out to us.