fall-shield-spread-artwork

Corey Gooch, Senior Director, Enterprise Risk Management, ANKURA

Introduction

When the recovery from COVID-19 moves into high gear, leadership teams will be re-evaluating their strategies as they will be operating in a world filled with volatility, uncertainty, complexity, and ambiguity (VUCA). Part of the recovery strategy should include a re-examination or implementation of an Enterprise Risk Management (ERM) program.

Background

ERM is as different from traditional risk and crisis management programs as the difference between driving a car and a semi-truck. Yes, both have tires, an engine, a steering wheel and maybe even a manual transmission, but the similarities stop there. The power and torque needed for serious jobs requires a truck. ERM is the semi-truck of risk management.

ERM emerged almost two decades ago as a best-practice alternative to the traditional approach to risk management – sometimes referred to as managing individual risks in stand-alone insurance programs or in functional business siloes. Traditional risk programs are useful. However, they are only one tool when it comes to managing the risk that will affect the ability of the company to protect its future or to achieve its strategic plan.

Most larger organizations, both privately held and publicly traded, now have some form of an ERM program. This trend is now moving to mid-size and family-owned businesses, as the traditional risk management tools do not always respond to the business needs. The biggest example is occurring now, where property and business interruption insurance programs provide no coverage from the COVID-19 pandemic. While they were never intended to cover this type of non-physical damage risk, it was a big surprise to many organizations.

ERM takes a different approach to risk that answers the fundamental question, “what strategic risks and uncertainties do we face as we strive to achieve our strategic plan?” As well as, “does our risk assessment process give our leadership team both accurate visibility into strategic risks we face and sufficient value decision-making and management tool?”

Typically, an ERM program includes an organizational-wide risk assessment and prioritization process where the risk data is compiled into a “Risk Register” and/or a “Risk Map” is created. The different risks are assigned to various “risk owners” and they are responsible for on-going monitoring or mitigation efforts and then reporting the progress to executive management and the board of directors.

Some benefits companies receive by implementing ERM include:

  • Reduced operational disruptions
  • Improved cost of borrowing
  • Reduced earnings volatility and increased cash flow
  • Enhanced corporate governance with key stakeholders

Why should organizations consider updating or implementing ERM now? One result of the COVID-19 pandemic is that the strategic and operating landscape for organizations worldwide and entire industry sectors are currently in an accelerated transitional phase that will change forever how they manage risks with complex interdependencies. Looking back at how risks were being managed on the ground level is always going to be 20/20. In order to survive and grow, a new approach to risk is needed. The key for executives is to make sure that risks are being managed with a cockpit view and not a rearview mirror.

Actions to be Taken

As mentioned previously, the advent of COVID-19 requires action from executives to re-examine and re-evaluate the fundamental decision-making within their risk management program. In order to be prepared to resume and recover operations in the new normal of a post-COVID-19 crisis, a few critical steps can be taken now.

Step 1. Re-examine risk registers and reassess all risks.

Almost every organization had some view of their own risk universe before the COVID-19 pandemic, but COVID-19 has impacted workforces working remotely and shuttered in place. Millions of workers were furloughed or lost their jobs and their financial stability. Supply chains at every level were stress tested. New risks have emerged. The previously assessed financial risks should be re-evaluated based on the very real and now measurable costs associated with COVID-19. When conducting the risk identification and assessment process, side by side comparisons should clearly illustrate the differences between those identified risks prior to and after the COVID-19 pandemic.

Step 2. Consider risk mitigation alternatives.

After the reassessment is completed, there may be a need to consider additional mitigation strategies if the assessment indicates that any given risk is above desired risk appetite levels. If there are any key risks that are above desired risk appetites, deep dives should be conducted to gain both greater insights about the risk and actions that may be considered to reduce or eliminate the risk. In some cases, the cost of risk mitigation is greater than the benefits of mitigation. Risk owners should clearly understand that the risk has been accepted and a budget for its acceptance may have to be created. Emerging risks that are known but not yet quantifiable should be on the new risk register and assigned to a risk owner in order to keep executive management and the board up to date on changing conditions.

Step 3. Re-examine business continuity plans.

Most organizations also have a crisis management plan, but how many have tested its effectiveness on a global pandemic scenario? As we have seen, a pandemic such as COVID-19 does not represent a traditional business continuity risk. It is challenging the way many organizations respond to risk. In this case, their physical assets (factories and systems) are available for use, but the employees, suppliers and customers are affected and not available. There is also the added pressure to the bottom line, as traditional insurance coverages do not respond to business interruption in the case of a pandemic. Traditional business continuity plans address the most obvious physical threats but do not consider the intangibles such as the reliance on key workers and access to operating systems that might not be available, or without customer demand. However, an integrated approach to business continuity is key when responding to a pandemic threat. It is necessary to reduce complexity and maintain continuity of operations across an organization at a time when resources will be diminished.

Step 4. Communication is critical.

Management of information flow is a key challenge. Staff and customers are seeking information and reassurance at a time when messages transmitted by the media may be piecemeal, skewed in nature and potentially melodramatic. Restrictions on movement of people may be imposed and messages provided by public authorities may be conflicting. As a result, executive and senior management must play a key part of managing the workforce’s anxieties and concerns by maintaining an effective organizational response. Additionally, the potential reputational consequences of not having an effective crisis communication plan in place could be devastating.

Step 5. Plan for resumption and resiliency now.

Organizations need to fully recognize the pandemic threat now and develop a response and recovery plan before it is too late. Business resumption plans must be robust and tested if they are to have the desired results following COVID-19. Without considering the effect on key customers, suppliers, as well as the employees, there is no ensuring the ultimate post-crisis survival of the business.

Conclusion

COVID-19 was not an unknown risk. A worldwide pandemic has been listed on the annual Global Risk Report from the World Economic Forum for almost 15 years. New decision-making will be required as organizations recover from COVID-19. Those decisions should be based on up-to-date information about their risks and opportunities. Companies need to develop their plan of action now. If risk management recommendations are seriously considered, the negative unexpected consequences from future risks like COVID-19 could potentially be reduced or better managed.

Warren Buffet once quipped: “It’s only when the tide goes out that you learn who’s been swimming naked.” In a world where the COVID-19 virus is quickly draining financial and human capital resources, many executives will discover if their risk management or Enterprise Risk Management programs have performed as desired.

Corey Gooch is Senior Director of Enterprise Risk Management at Ankura Consulting Group based in Los Angeles, CA.

  • Categorized in: