As a follow-up to our initial communication regarding pandemic risks from a business risk perspective, Rochdale Paragon recently worked with Excite Credit Union ($514 million credit union in San Jose, CA) to facilitate a discussion regarding risks that should be considered with an increasingly large remote workforce. With respect to the coronavirus crisis and our collective effort to mitigate unnecessary staff and member exposure, many credit unions have implemented remote work policies for non-essential and other personnel. As such, remote work policies are being reviewed to ensure appropriate risk mitigation steps are in place given the constantly evolving risk inherent in remote employees, especially given the dynamic environment we are currently operating in. We encourage all credit unions to remain vigilant and agile as decisions need to be made regarding practices necessary to protect employees and serve members.
It is important that leaders remain objective and ensure that decisions are based on a foundation of reality and not in response to unfounded claims or bias. It is especially important in these times that critical thinking be applied to the various decisions being made to ensure a coordinated effort to reduce or at least be aware of risks inherent in those decisions.
Rochdale Paragon has and is taking internal steps to address implications on our business, but also working to find ways to assist credit unions through the risk assessment process such that credit union leaders can remain focused on meeting the needs of their employees, their members and the collective communities they serve.
The following risk assessment components are intended to provide general direction and ideas that leadership teams should consider as they discuss the implications of an increasingly large remote workforce. While not exhaustive, it is our hope that this provides a starting point to spur thought within your organization regarding the types of risks that should be considered. If your organization has any questions on the below list or has ideas for which you are willing to share with others, please don’t hesitate to reach out to us.
CREDIT UNION – REMOTE WORKFORCE RISK CONSIDERATIONS
Compliance Risk
- Non-compliant / incongruent policies regarding remote employees
- Exempt vs non-exempt employee tracking (ensure consistent treatment)
- Lawsuits from increased member/employee data protection issues
- Increased ADA risk exposure (failure to make appropriate ADA accommodations or meet employee requests)
- Increased challenges in communicating with compliance department / limited compliance accessibility resulting in non-compliant operations
- Potential of work comp claims
Credit Risk
- Difficulty in collaborating on underwriting
- Challenges in coordinating various reviews (QC, appraiser, etc.)
Interest Rate Risk
- Communication challenges resulting in pricing errors and other poor decisions
Liquidity Risk
- Risk of being unable to access VPN and other connections with the FRB, FHLB or other liquidity sources
Reputation Risk
- Inability to staff branch locations and provide member service
- Poor, ineffective or untimely communication to members and employees
- Perceived lack of professionalism on calls depending on home environment, background noise, etc.
- Missed calls or meetings due to technology inconsistencies (time zones, etc.)
- Insufficient work from home protocol (attire, professionalism, etc.)
- Increased social media risk from EEs broadcasting work from home, etc.
Strategic Risk
- Increased challenges in strategic alignment (are folks working on rights things, do strategic objectives still matter or have they changed, etc.)
- Diminished opportunity for staff training/mentoring
- Decreased employee morale given less interaction with coworkers
- Increased stress and anxiety due to personal concerns (news, financials, etc.) resulting in diminished focus on work-related tasks
- Increased stress and anxiety resulting from burnout (employees feel as if they never leave the office)
- Psychological issues with folks working from home for long periods (with no outside breaks)
- Increased personal/family issues affecting productivity, member service, accuracy, etc.
- Decreased morale or other issues due to who gets to work from home vs who doesn’t
- Difficulties in managing and monitoring employees (productivity, hours, errors, member service, etc.)
Transaction Risk
- Decreased staff productivity
- Diminished internet / network bandwidth affecting operations (onsite and/or remote workers); slowed system response times
- Increased exposure to inconsistent procedures
- Inadequate supplies (laptops, VPNs, forms, etc.) to work from home
- Challenges with acquiring enough laptops and other equipment
- Increased data / cyber security issues as more personnel work remote (i.e., use of non-approved equipment, increase in BYOD, unsecure remote access set-ups, etc.)
- Increased fraud related to scams and other virus-related claims
- Increase fraud vulnerability due to non-normal conditions
- Employees lack home internet (internet reimbursement expenses)
- Increased IT support needs
- Increased challenges in providing IT support (challenge in employee being able to do their part)
- Inability to access all systems remotely (consider product by product and area by area – where are there potential constraints)
- Increased errors as employees might be more distracted by working remote
- Increased telecom expense for long distance, etc.
- Increased expense to cover / add cell phone expenses
- Increased ergonomic issues (eye strain, carpal tunnel, chair design, etc.)
- Challenges in enforcing mandatory vacation (no access) periods relative to policies
- Lack of training results in inappropriate screens (emails, member data, etc.) being shown on online meetings
- Slower response to internal requests, reviews, etc.
- Issues with online meeting tools (dropped calls, increased buffering, etc.)
- Security concerns with online meetings tools and conference calls
- Theft of laptop or other remote equipment
- Increased risk in patching abilities due to file limitations, etc.
As credit unions navigate different work environments in response to the COVID-19 virus, it will be important for all responses and changes to standard corporate policy align with state and federal law. This will help to ensure continuity and legal alignment to avoid creating any new risks when implementing the controls ultimately designed to protect your organization.
Like the lists above, the list below is intended to provide ideas for which each organization should consider specific to their individual situation.
CREDIT UNION – REMOTE WORKFORCE RESPONSE CONSIDERATIONS
Compliance Risk
- Align corporate policies with federal and state recommendations
- Follow privacy protection framework
- Review personnel policies (communicable illness, leave, medical)
Credit Risk
- Update credit policies and procedures and ensure all steps are being taken
- Track temporary procedure changes such that they can be revisited down the road
Interest Rate Risk
- Ensure timely communication
Liquidity Risk
- Testing and ensuring accessibility to key liquidity providers and systems
Reputation Risk
- Communication plans (over communicate vs assuming understanding)
- Personnel and member education and reassurance
- Publish work from home protocol (attire, noise, screens displayed) and expectations (hours, voice vs video conferencing, etc.)
- Revisit social media policies and procedures
Strategic Risk
- Agile leadership and communication (over communicate)
- Cross-functional response teams that meet regularly
- Scenario planning visited frequently with updated assumptions
- Be intentional about finding ways to engage staff (both work and non-work related):
- Increase events for team building, morale, etc.
- Push video conferencing where possible so people can see and interact with others (even if productivity slips)
- Drive normalcy and routines wherever possible
- Encourage diversifying scenery (work in different rooms, work from a patio, etc.)
- Provide enhanced employee benefits (counseling, financial assistance, etc.)
- Evaluate employee access to and availability of mental health and social services, as needed
- Reporting and measurements to set expectations and monitor performance
Transaction Risk
- Expand online capabilities (increase remote system availability)
- Increased use of webinars and teleconferencing (ensure appropriate bandwidth)
- Increased cross training and procedure training
- Provide tips to ensure proper ergonomics
- Allow staff to take home necessary equipment (keyboards, mouse, headset, monitors, laptop charger, etc.)
- Encourage personnel to set schedules and adhere to them (don’t work non-stop)
- Encourage exercise and personal well being
- Encourage rotating routines to help engagement
- Encourage personal device downtime (Facebook, LinkedIn, texting, etc.)
- Outline hiring and termination protocols
- Highlight work from home in hiring processes to stress efficiency and productivity items
- Partner with strong IT vendors
- Maintain strong IT help desk function
- Provide communication on when and who to call for IT and other assistance
- Maintain extra IT equipment and resources to address IT issues for remote issues
- Provide contact info for appropriate team members, vendors and others
- Provide training for appropriate use of remote applications
- Establish defined protocol for email responses, support issues, reviews, etc. (response time, response channel, etc.)
- Identify and provide additional communication channels (Spark, Slack, Skype, Microsoft Teams, etc.)
- Use caution with cell phone pictures and videos (your or others) as non-public data may be on screen
- Increased fraud vigilance (e.g., don’t click on unknown links, watch for sketchy emails, ignore online vaccination offers, be wary of charitable donation requests, be alert to “investment” opportunities, watch for malware attempts, review fraud limits and monitoring processes, etc.)
- Require clean desk policy for homework stations
- Maintain appropriate IT restrictions (IP-restricted access, etc.)
- Implement/use VPN connections where possible and as it makes sense
- Turn on 2FA or MFA for applications that make sense
- Consider use of a password manager if employees are using different machines than normal
- Require device management software on mobile devices to ensure devices are secure and up to date
- Ensure admin calendars remain up to date such that there is clarity around availability and time off
- Ensure all laptops and devices have full encryption
Regardless of where your credit union is in the decision making process regarding remote workers, it is our hope that this document will help ensure your leadership team is asking the right questions to ensure relevant, reliable, unbiased information is being used to make the best decisions. Our hope is that the information provided to you today will serve as a foundation as we work together to understand the risks we face and how we uncover the best possible solutions to manage them.
Thank you to Hector Espinoza (VP Risk Management) and Kevin Alsup (SVP Technology) from Excite Credit Union for your contributions to this article.
If you have any questions regarding the above information or if there is anything further that Rochdale Paragon can do to assist through this time, please don’t hesitate to contact us.