Master risks during
the COVID-19 crisis

The COVID-19 pandemic forced multiple companies to reinvent themselves in a few weeks. See how CogTL enabled a quick deployment of teleworking while keeping cross-border and regulatory risks under control.

Teleworking: pros and cons

Teleworking solutions have been available for 15-20 years, and have really become convenient since around 2010, but companies have had vastly different opinions about proposing such alternatives for their employees. The spectrum went from the most conservative positions of “bunker-like” corporations to enterprises strongly adopting the technology and becoming nearly full-remote, sometimes even leaving physical offices.

We will not discuss here the many different factors that can influence the position of companies, like the potential productivity gain or loss, the employee’s happiness with a better work/life balance, the image of the company, the impact on costs (real estate, rent, electricity…), etc. But we will focus on one aspect that may have a crucial importance when it comes to letting employees work from their home: regulatory, operational, and cyber risks.

A quick step forward

In March 2020, during the first wave of the COVID-19 pandemic, a lot of companies have been forced to propose remote access solutions to a large proportion of their employees. If the first struggle was to be able to technically sustain the load of numerous remote connections in parallel (in terms of infrastructure and licenses), risk managers and executive committees have been feeling the urge to keep several risks under control, in particular:

Regulatory risks for enterprises in highly regulated industries or countries: for example, banking secrecy, mass access to CID (Client Identifying Data) or PII (Personally Identifiable Information).
Fiscal risks due to a potentially high number of employees working from other countries (cross border staff).
Cybersecurity risks as remote access is most of the time originating from an uncontrolled device, which can lead to intrusion or espionage.
Operational risks of errors, due to employees that can be more distracted or the “cat factor” (yes, the cat walking on a trader keyboard, that’s it).

Even in this Crisis situation – or should we say particularly in this Crisis situation -, enterprises have been needing to cover those risks, or at least be able to measure them, knowing that rules could change from one week to another, a rotation could have been put in place between half teams, and people could get quarantined or sick from one day to the other.

One word: AGILITY

If the concept of agility has been applied to IT development, business analysis, cybersecurity, and if multiple IT methodologies aim at easing quick adaptations and give reactivity to align technology with the business, traditional risk management is traditionally rather implemented as a second line of defense, with decision processes that do not have a strong necessity to be short – above all, they have to take all elements into account and carefully weight all arguments.

But in this critical situation when multiple changes had to occur, a lot of risk managers admit that they have been temporarily losing control of the situation: the business had to continue, anyways.

Cognitechs contribution

Our technology was invented to master risk in quickly evolving complex systems. Therefore, we were able to work along with our customers, to put in place multiple compliance rules and checks, taking all available information into account, and providing risk managers with always up-to-date information, enabling them to keep the control.

More specifically, we fed CogTL with a subset of the following elements:

Applicative user accesses, by connecting to directories or reading third party systems extractions.
Basic HR information, in particular the domiciliation of the employees and the country where they work.
Fine-grained accesses, e.g. the count of customers names, or CRM data visible by every employee in various systems.
Employment rate, seniority of the employees.
A list of sensitive assets of the company, or in best cases, a characterization of every accesses (do they give access to sensitive information, do they pose an integrity risk…)

We then used CogTL to design amazingly simple rules : identify cross-border employees, count the number of sensitive accesses that every user has, potentially by weighting every sensitive access using more precise rating, etc.

Then with PeopleRisk, it was just a matter of setting thresholds. Do cross-border staff cannot remotely access sensitive information? Just a click. Employees with remote access should not have access to mass sensitive data? Just a threshold to set using a cursor.

In a few weeks, we were able to provide risk managers and senior management with PeopleRisk, allowing them to see all compliance rules violations, temporarily accept them in certain cases (with comments for future reviews or for internal auditors for example), and be alerted whenever a new situation was detected.

In some cases, PeopleRisk was even integrated with the access management workflows, to use its simulation features and prevent toxic combinations of accesses that would have led to a non-compliant situation, in an even more proactive way.

Outcome