The WFH Risk Pyramid
Question: Risks associated with WFH – how has been the actual experience vis-à-vis the expectations?
Over a year into the pandemic, covid has had a devastating economic, social and health impact across the globe. Hundreds of thousands of lives have already been lost and the end of this pandemic is still not in sight. On the corporate side, there are 2 pictures: either a corporate has gone bust (or nearly so), or the corporate is in good shape. Judging from the responses, all the 16 organizations that participated in this cover story seem to be in good shape.
Our respondents have broadly classified WFH related risks into 5 categories: (i) business risks, (ii) cybersecurity risks, (iii) people risks, (iv) operations risks and (v) other risks. Here are their edited responses.
ABHILASH BALAN, CISO at Digit Insurance
Work from home often raises questions on the security of the organization and the increased risk of a breach. However, we were able to manage these risks using cybersecurity protocols and imparting right information to our teams. Digit Insurance took 6 key security initiatives: (i) Implemented secure VPN tunnels (ii) Strengthened the advanced threat protection systems (iii) Audited system & application rights (iv) Used the best AV solution (v) Managed EDR solution for each system in our network, and (vi) Implemented a DLP agent on each laptop to take care of the company’s data on each system.
ANIL PINAPALA, CEO at Vivifi India Finance
During the pandemic, the thing that has really changed character is the concept of working from home. Where possible, this privilege was considered as a ‘breezy-few-days-a-month’ working from the comfort from your couch / bed. However, for organizations to think of it as a long-term option or a permanent option for all or most of its employees, requires them to think of the associated risks and get ahead of them immediately.
Having spent most of my career working remotely leading large teams, we have identified 4 risks associated with WFH: lethargy, focus, mental health and security & confidentiality.
The risk is that it is easy to procrastinate within the comforts of working from home and add to it the unlimited social media activity that can keep us entertained. To counter the risk, we need to inculcate the discipline of working from home and ensure that we have
(i) Lethargy:
a schedule and plan for work days and fun days.
(ii) Focus: It is quite easy to lose focus on what we are doing considering the distractions of family, pets, friends, neighbours, household helps, kitchen sounds et al, but to effectively work from home, one needs to maintain focus on what needs to be done and train oneself to achieve this. Focus makes the work product better and also helps in getting it done faster so improve your ability to focus and not get distracted easily.
(iii) Mental Health: Pandemic news can be distressing and sometimes devastating, playing havoc with our mental health. A regular work environment also provides a social construct for addressing many of the concerns one would face day-to-day, but with everyone working from home that ability to socialize and find answers now doesn’t exist as much. Never ignore the stress or the impact on your mental health and seek the help of your family, friends and if required even a medical practitioner immediately.
(iv) Security and Confidentiality: Data security is a key risk in an environment where a lot of sensitive information and trade secrets are being accessed at home even when tunnelled through a VPN. These can be addressed with several sophisticated security tools to ensure data security, but the success is more dependent on a clear, transparent process and communication that emphasizes the importance of adhering to all the safeguards, no matter how cumbersome they might get.
AVNEESH TRIVEDI, Chief Risk Officer at Moneyboxx Finance
Creating right and feasible kind of IT support system was a big challenge. However, taking clues from last year’s learnings, it was relatively easy for the second phase of the lockdown, as WFH is being considered as a new normal. Teams were also aligned for WFH system this time, so it was relatively easy as compared to last year.
BIKASH CHOUDHARY, Appointed Actuary & Chief Risk Officer at Future Generali India Life Insurance
We anticipate 3 major risk areas with the WFH model - cybersecurity, physical security and new business volumes. While cyberattacks have become rampant during the pandemic, we have implemented several tools and technologies to protect ourselves from various kinds of cyberattacks and stay ahead of the curve. Disposable income and frequent lockdowns.
One risk overlooked was the impact of covid on the safety
and wellbeing of people during the second and third wave of the pandemic. At the start of the pandemic, we had taken a slew of proactive measures to enable our teams to work from home and also educate them about the virus. This approach reaped fruits as we had a <1% infection rate and 0 mortalities. However, the second wave of the pandemic has had a significant impact on our employees and our infection rate is >5%.
We, as an organization, will continue to provide support throughout the crisis. We have 3 priorities throughout the crises. First is providing strong management and leadership support to ensure the health and sustainability of the workforce and our communities. Second is to represent and address the interest of employees in crisis with innovative solutions, quick actions and impactful measures. Third is to support business during this period with relevant information and services as well as opportunities for remote networking and engagement with peers.
BIRANCHI MISHRA, Head – Credit, Risk & Product at Netafim Agricultural Financing Agency (NAFA)
Working from home brings about many benefits. However, the organization also poses a different set of risks – both for itself and its employees. Below are the top 2 risks NAFA identified when it decided to allow employees to work from home.
Cybersecurity Risk: Working from home relies heavily on remote access to the company’s network, cloud accounts, email systems, videoconferencing tools and others. In general, remote work increases cybersecurity risks such as home WiFi security breaches, phishing attacks, weak passwords and access controls, risks associated with accessing the company database through multiple systems and increased data sharing over the internet. We realized that people are often the weakest link in cybersecurity efforts. We started training employees on basic security practices such as setting proper access controls, identifying phishing emails using strong passwords and deleting suspicious emails. We also restricted access to websites not required for day-to-day job-related activities and select employees were allowed to share mail outside the domain.
Employee Health & Safety: Remote working exposes the divide in living setups, divides the ways people and organizations work and creates a divide in our individual needs for social interaction. WFH isn’t about just video conferencing - it’s about tools that streamline and enhance communication, collaboration and transparency. However, we think beyond these tools to ensure that teams are ready to tackle time management challenges and productivity while working with colleagues remotely. Even if teams work remotely, HR arranges regular e-events and gatherings besides arranging sessions with yoga, meditation and health experts to educate and motivate employees to live a healthy lifestyle.
Our overall experience and productivity have been satisfactory except in areas wherein we need regular faceto-face interaction with our customers or other stakeholders outside the organization.
DAMODARAN C, Vice President & Chief Risk Officer at
Federal Bank
WFH was an unimaginable idea for banking sector till the beginning of the pandemic. Now banks are effectively utilizing it to maintain productivity of workforce by leveraging technology enabled platforms. However, being a service industry, there are certain challenges in having a WFH model in its entirety.
Business continuity, or rather continuing business as usual, was one of the major threats that we anticipated during prolonged lockdown and the associated restrictions. Increased risk of cybersecurity was also anticipated, as more customers embrace digital financial services.
Through the usage of collaborative work environment and virtual meeting applications, we are now able to offer uninterrupted banking services. Of course, there are a few domains where WFH model has limitations like catering to the credit needs of NTB customers.
Cybersecurity is the major threat associated with increasing penetration of digitization of financial services. In order to effectively mitigate the threats, we are constantly reviewing our incident tracking algorithms and have ramped up our real-time transaction monitoring capabilities working on a 24x7 basis. Customers are constantly educated on dos and don’ts of cyber security and all members of staff, including top management, are mandatorily required to undergo rigorous in-house programs on cybersecurity.
WFH has its own advantages and disadvantages as far as non-branch operations are concerned. The major challenge was to securely enable access to the applications for the employees working from home. The bank was quick in enhancing the IT infrastructure and upgrading the IT security to successfully meet the challenges. Members of staff were constantly educated on the dos and don’ts of WFH. Access of staff working from anywhere to applications were routed through the secured VPN, on a need to access basis with proper approval from the authorities. Such logins were monitored constantly to ensure that there is no unauthorized access to the bank’s systems.
GOPAL BALACHANDRAN, CFO & Chief Risk Officer at ICICI Lombard General Insurance
If we have been able to survive the pandemic, it has been attributable to our robust Enterprise Risk Management (ERM) efforts. ICICI Lombard has been at the forefront when
it comes to ERM. It was the first Indian company to achieve the ISO 31000:2018 certification in April 2018. The ISO standard has emphasized having an effective risk governance mechanism, a risk aware culture, a strong risk assessment process and robust and dynamic risk and control frameworks.
Here are the 5 main risks from an organizational and finance perspective.
(i) Counterparty Risk: In a volatile environment like the present one, it is crucial to keep a close watch on counterparty risk, by virtue of the fact that if the counterparty fails to settle his obligations to the company, it could in turn impact our cash inflows and thereby end up impacting our balance sheet in some way. Therefore, we continue to keep a close watch on the credit ratings of our counterparties and whether the counterparties would continue to operate as a going concern.
(ii) Mark to Market Value of Investments: We continue to keep a close watch on investments portfolio through assessing the market value of its investments and thereby providing for impairment, where necessary. Our focus is to look at qualitative investments in good companies and also ensure that the right percentage of investments is maintained in liquid assets at all times so that we can honour our obligations to customers on a timely basis. In the last 2 decades, ICICI Lombard has not witnessed any default on its fixed income portfolio, which is a testament of our robust investment practices.
(iii) Cybersecurity: Given that we are operating in WFH environment, protecting valuable company data becomes a key aspect, which places a key focus on cybersecurity. WFH best practices including Dos and Don’ts have been rolled out to users on a periodic basis using various communication channels, end point security measures, e-learning modules, etc. Security related educational videos are being published to guide employees and ensure security in a WFH environment.
(iv) Fraud Prevention & Management: These uncertain times also necessitate keeping a close watch on fraud risk since it is crucial to ensure that only genuine customers are paid claims, thereby protecting the bottom line. We have re-visited the triggers for fraud investigation/s and are carrying out claim related investigations. On account of physical inspections being difficult, virtual investigations are being undertaken through the digital route.
(v) Reputation Risk: We are proactively tracking any impact on the reputation through monitoring of various social media posts, articles on various social media handles, articles appearing in national and regional dailies and other communication modes to ensure that there would be no untoward incidents which would have a material impact on the brand reputation of the company.
K R MOHANACHANDRAN, Chief Risk Officer at ESAF Small Finance Bank
On adoption of WFH, systems of banks need to move from confined and contained environment to open environment. This could result in serious vulnerabilities if not patched or addressed properly, more particularly for financial institutions. Use of Virtual Private Networks (VPN), hotspot Wi-Fi devices, video conferencing facilities and personal devices used for official works/ meetings, etc, could expose banks to risks due to possible dilution in security protocols and encryption standards. WFH scenario is more vulnerable to cyber-attacks, because of lesser security controls.
While WFH could largely help banks more in administrative functions, customer facing transactions cannot be executed through the employees working from home. Digitization in banking is still not at appropriate levels to get all customer facing transactions approved by staff working from home.
We have started WFH arrangements since beginning of the pandemic in a structured manner, taking the limitations as detailed above into account. WFH is extended to staff of branches also in a limited manner. The expectations are largely met, by implementing various technical controls (like multifactor authentication, endpoint posture check, etc) and no security breaches have been reported so far.
The WFH concept will not go away – staff expectations, pandemics, natural disturbances, regional conflicts, etc, will force organizations to think that remote work is an option for all times.
PRITHVI CHANDRASEKHAR, President Risk & Analytics at InCred
The biggest risks associated with WFH are in the real economy. Entire sectors like travel, hospitality, commercial real estate, or even retail, will be adversely impacted for a long time. In the shorter term, there are also employment risks and income risks, especially to contractors or those earning incentives and commissions. There are collections risks arising from borrower/employee migration.
There are also internal risks. WFH requires a higher level of technology security in a sensitive industry like financial services. It also makes it harder to assimilate new employees. So far, these risks have been successfully mitigated. The worstcase scenarios have been averted. But a lot of uncertainty remains, such as covid phase 2, lockdown, vaccination rates, possible covid phase 3, etc. Responsible risk professionals will continue to be cautious.
RAKESH BANSAL, Chief Risk Officer at Hero Housing Finance
Data safety is the main issue. All the laptops were hardened and
outside mails with attachments were not permitted. Also, it was difficult to assess new proposals of self-employed customers. We focussed on salaried segment. There were other restrictions like legal and technical agencies were not working properly. SROs were shut. There were no takers for fresh home loan purchases and hence volumes were less.
ROOPAM ASTHANA, CEO & WTD, Liberty General Insurance
As the pandemic became more severe, we proactively shut our physical outlets and moved to 100% WFH. The expectation here was that this will keep our employees safe from infection, but what we realized was that employees working from home were exposed to more external sources of infection and that they were probably safer in our offices with monitoring of body temperature, usage of masks and hand sanitization.
The other risk associated with WFH is the disconnect with colleagues and lack of informal interactions that help employees, especially new joinees, imbibe the company culture. The good news is that with the entire ecosystem working from home using video communication and other digital assets, the exposure of ‘digital hesitants’ to the new way of working increased forcibly, and this has hopefully converted a lot many more to continue using digital assets.
However, here the expectation that all will move away from the traditional face-to-face interactions will not hold true. Apart from the general risks, we also encountered risks pertaining to processes and systems as everybody had to pretty much overnight devise processes and systems to manage the new work model.
Risk pertaining to processes mainly revolved around premium collection, policy issuance, investigation for fraud detection and claims, etc. Strategic risk included challenges in distribution of our products, change in mindset of customers as consumer confidence dipped, scaling digital channels with changing demands, etc. Risk pertaining to systems included cyber and data security threats and challenges relating to obsolete systems/hardware, etc.
SADAF SAYEED, CEO at Muthoot Microfin
The main risk associated with working remotely is connectivity and backups. Since the entire organization is working remotely, any connectivity issue which may affect work may create serious risk issues. We addressed these issues by providing CUG SIMs to all employees and ensured consistent coordination with the service provider for seamless connectivity at all locations.
Productivity monitoring is another risk given that the nature of business is more into foot-on-street model. The sudden switch to a virtual scenario has created confusion and can lead to productivity risks. Muthoot Microfin has developed its BCP to ensure team leaders are always connected to the team and stay engaged throughout the day through virtual connect.
People are socializing less and there is lesser human contact, which is a big risk for mental health. Lifestyle-related illness risks have also risen over this period. To address this our wellness team is regularly calling the employees and offering them all types of support. The company has also introduced free on-line health consultations for employees and their families.
There is also the issue of keeping track of all assets in use, chances of damage, security risk if they do not adhere to access and privilege protocols etc. Our IT team has disabled some programs at the employee’s extremities so that risk factors may be reduced. The IT team can access the system at any time using any desk application.
SUJAY DAS, Chief Risk Officer at MoneyTap
On one side, WFH allows one to take care of their family and spend more time with them. On the other hand, it brings new challenges on the work front. Many a time, a face-to-face discussion is more fruitful and faster to get to a decision. Scribbling on the whiteboard sometimes help in making somebody understand a concept faster. At times, a 5-minute corridor discussion can move things faster rather than waiting for people’s calendars to free up for a call.
It is said that humans are social animals by nature. Going to the office and meeting colleagues help usher in that social element to a lot of people’s lives. It also helps a lot in terms of decision making and teamwork. While working from home, it does get slightly challenging to have overly distinct boundaries between office and personal work environment and timings.
The new normal is now, everyone understands, more about say, background noises, children playing or even household noises to be a part of calls! A change in environment always refreshes you for the next task, be it personal or professional. Hence the pandemic, has made it more stressful for teams as they are in the same environment all the time with no reprieve, and it can get hard to keep track of time moving.
However, we have also evolved due to work from home and technology has allowed us to keep things going with minimal disruption. That is quite an achievement and has also proven that we can still deliver things at a respectable pace by working from home.
SUNDER NATARAJAN, Chief Compliance & Risk Officer at IndiaFirst Life Insurance
We experienced lesser risks than expected. The biggest risks we faced were business risks of an unplanned surge in claims and a sharp dip in new business and renewals. While the
incidence of claims did go up across the year, the new business and renewals witnessed a consistent recovery quarter on quarter. A robust process built over the years helped shape the recovery.
Other big risks were around the market and interest rate volatility. Tight governance of our investment philosophy and tight ALM management helped us derive best benefits the situation presented. Operational & IT risks were also kept under tight control through timely upgrades and astute management.
Venkata JayaRaman m., Chief Risk officer at Fincare Small Finance Bank
With the advent of the pandemic, traditional work models are getting transformed, with increased use of automation and digitalization tools. As the number of employees and home IP addresses have taken a step jump, the diversity of threats on devices exposed to local home network, pose a few challenges, including:
(i) The need to put in place necessary infrastructure to provide secure access to confidential information from home/ remote.
(ii) Network latency at the employee’s location leading to issues in providing seamless connectivity through VPN. (iii) Endpoint patching. (iv) Providing remote IT support. (v) Remote onboarding of new joiners. (vi) Given that home networks are inherently insecure, need for continuous monitoring for new IoCs & IoAs. At Fincare Small Finance Bank, our security priorities have always been aligned to the bank’s strategy pillar of safe and secured banking. Given the heightened threats, cutting-edge cybersecurity solutions were implemented to strengthen the cybersecurity maturity level of the bank.
ViJayalak Shminata Ra Jan, Chief Compliance & Risk officer at aviva india
The pandemic led to businesses around the globe transitioning workers to remote work, introducing new challenges to companies and employees alike. One of the biggest of these were cybersecurity and keeping company intelligence safe with employees no longer protected by corporate firewalls. Four key risks associated with WFH are: (i) insecure asset (ii) access to unauthorized sites (iii) data leakage (iv) insecure internet connection exposing the company to information and cyber security threats.
Moreover, we need to ensure that the connectivity to company’s systems and applications is strictly through the company’s network enabled through secure VPN. For an insurance organization, it is important to restrict this concept to safeguard the company’s information. Our focus is to provide adequate training and awareness to promote safe usage of systems and applications and enhance the ability to differentiate between genuine emails and phishing attempts.
Summary
Except two, all our respondents spoke about cyber risks, and that places it at the top of our risk pyramid associated with WFH. Six respondents spoke about human risks – chiefly social issues as well as physical health and mental health issues – and that places it at the 2nd position. Five respondents spoke about business risks, placing it at the 3rd position. Three respondents spoke about operations risks, placing it at the 4th position. Other risks mentioned include reputation risk, staff induction issues, etc. The same is represented as an infographic. Our respondents also put forward a very wide variety of solutions in
response to the WFH risks.