COVID-19 and Risk Management

By: Sal Petriello, Principal, Risk Management Solutions

May 12, 2020 in Business Resilience, Risk Management

COVID-19 and Risk Management

The CEO calls you today and asks, “What will we do differently tomorrow?” This question will be asked by many leaders today, and tomorrow, as we adapt to the crisis that will compel risk professionals to manage at a new level. To deal with the unprecedented impact COVID-19 has had on the ability to respond and react to a crisis, successful risk leaders must urgently pivot and put in place an environment of agility, resilience, and integration. Risk leaders who drove principles like risk identification, analysis, and control must now redefine their risk programs to interpret real-time data, minimize the time between occurrence and consequence, and visualize risks contextually within and beyond the organization.

Actionable Data Over Prescriptive Plans

Risk management teams will now need to know — in real time — the scope, probability, and impact new risks have on an organization. Because scope and impact are dynamic, risk managers will need to continually review relevant risks in order to prioritize responses. Having the ability to interpret events, which are categorized according to their probability and anticipated impact, and manage these events proactively is crucial when prioritizing efforts for response and remediation. Historically, risk management programs were driven by assessment plans, at times established collaboratively with business leaders and executed on a prescribed cadence. More than not, these plans were driven by internal and/or external reviews, customer complaints, and issues identified by regulatory agencies. More than not, assessments simply scraped the surface of what may have existed as real risk, deeply embedded in the organization’s matrixed and inter-related operation.

Prior to COVID-19, the information available to risk teams limited the mitigation of risks or issues by measures designed to lower probability or impact. Assessments built upon plans, and not data, leveraged pre-determined metrics. These metrics were not in line with empirical data specific to the triggered risk event. The likelihood of risks occurring were managed by contingency measures, planned in advance, but only triggered after the risk happened. What remained was a risk environment that was strictly reactive. The only proactive measures for addressing these risks was setting aside time, resources, and flexibility to be used once the risks were known. Post-COVID-19, the ability to anticipate and prevent risk associated with a global pandemic or event of this magnitude will not only need to become a foreseeable event, but will require information specific to the event in real time so that mitigation and contingency measures can be considered.

Resilience is a Journey

In addition to responding immediately to risk events, resilient risk organizations must minimize the time between occurrence and effect. The “New Risk Team” must enable organizations to anticipate and react with agility and must visualize and respond to risks across the company and their service/supply chain. A “resilient” risk team will evolve beyond traditional strategies and practices, building a culture and infrastructure into its ecosystem that will enable it to react immediately.

“But how?”, your CEO asks. Again, your answer lies in real-time data flowing from a decentralized risk assessment process back to a centralized platform giving you the agility to visualize, react, and respond to risks across the company. The most successful risk management programs will combine a decentralized and integrated process with centralized oversight. With a global view of risk across the enterprise, a centralized oversight team can lead integrated, local business partners in identifying and qualifying events that provide a lens into the company’s exposure.

Silos “No More”

A successful post-COVID-19 risk program will no longer operate in isolation. It will be an operational imperative for a business unit to connect with other business partners as well as the centralized risk team. Integration must exist on both a data and organizational level. The ability for the risk team to provide oversight and guidance in “real time” will require information specific to each organization to be inter-connected and aggregated into a global dashboard of internal metrics directly tied to external organizations and system and community information providers.

Data integration and organizational connectivity enables teams across the enterprise to improve performance, gain insight and actionable intelligence, and make more informed decisions to support strategic objectives. Integration allows for the management of the full scope of risks resulting in an agile and resilient organization. Polarization and siloed efforts are a waste of opportunity, not to mention time and resources. Without centralized data management, processes are duplicative and inconsistent, leading to reporting generated from incomplete or outdated data sets.

“A Stake in the Ground”

A core principle for any type of growth is to learn from experience and improve. COVID-19 will be that moment in time when the risk management profession has the opportunity to learn and change forever. At the center of this principle for growth,  risk management must adopt a technology enabled solution capable of assimilating data as it is originated, whether that be external or internal. Having the right IT infrastructure in place that enables instantaneous response to data as it becomes available and formulating this information in an interpretive and meaningful snapshot at an integrated global level will prove vital to the transformation to a resilient and new risk organization, post COVID-19.

Has Risk Management learned from its experiences?

“How likely is it we can make these changes?” your CEO asks. “Do we have an alternative?” You reply.