Has the 1st line of Defense forgotten to speak up?
In this Compliance versus Complacency article, I'm looking at our complacency with raising our hand or speaking up. Remember when we were first documenting our risks and controls? We asked everyone to speak up about areas in which they thought we could be more efficient, in areas where they thought there were redundancies.
Has everyone gone silent? I hope not. I hope that as you conduct your risk and control self-assessments, as you contact your first line of Defense, you are challenging them to continually monitor and re-evaluate their activities. It will be interesting to see what areas they question now that they are working remotely. Do some activities seem unnecessary? Are we changing how we execute some of our controls? Are we more efficient or less efficient?
I will never forget when a new employee approached me, stating that he thought the control he was to execute was a "stupid" control. We discussed its importance, or so I thought. Needless to say, the control eventually failed, and when we explored the risk that the control was supposed to detect, he realized the importance of its execution. However, his next comment, "but if we do "xyz," we could prevent it from ever happening," was an eye-opener for me. I never again dismissed someone who said a control was "stupid." I try to brainstorm with them until we are both satisfied that the risk can be prevented or detected before it stops us from achieving our objectives.
Now would be a great time to check in with our first line and see if the execution of controls has changed in our new environment. Take this time to ask more questions and understand what impact the shift in our working environment is doing to our risk and control structure. Perhaps working from home is our fresh set of eyes. It might be refreshing to talk about something we do have control over right now.
Stay safe and let me know in what other areas you think we have become complacent.