Governments across the world are reducing restrictions on movement and business openings as COVID-19 curves flatten. But many countries are likely to turn these restrictions on and off, as the health crisis continues to evolve.
Businesses will need to adapt to these changes and bring a new risk mindset to the challenges of operating in this current phase of the pandemic. The unprecedented impact of COVID-19 has challenged previously held assumptions around plausibility and severity. As businesses adapt operations and build resilience, they will need an enhanced approach to risk that encompasses:
- Agility: Businesses must be able to act immediately and urgently when new risks are identified and also continue to interpret and detect rapidly emerging risks in a very different landscape.
- Data-driven approaches: Leaders will need to shift from relying on subjective judgement towards adopting data-driven approaches – ones that link internal and external data to feed smart decision-making that aligns to firm strategy and risk appetite.
The impact of COVID-19 has created immediate implications for managing risk and raised questions around the longer-term approach to preparing for disruption. For most businesses, lockdowns have affected governance and controls across the organization, and leaders now face the challenge of reintroducing these processes as operations restart.
The disruption created by COVID-19 has also highlighted the need for greater insight into how risks faced by third parties and customers impact the business. Businesses must also ensure they have the ability to quickly elevate emerging risks as operational recovery progresses. And the importance of the right data at the right time has never been greater – amid uncertainty, leaders must use data to supplement their judgement and enable dynamic decision-making.
Key actions to tackle these challenges include:
1. Reinstate and update risk governance and internal controls
As operations transition into the next phase of recovery, leaders should take a thoughtful and measured approach to reinstating controls while also assessing where changes are needed. They may need to update internal controls on financial reporting and realign with the external auditor in critical areas (e.g. scope, materiality, timing of procedures).
Rebuilding trust with employees, suppliers and customers will also require a reassessment of whether current monitoring and support protocols of internal operations and third parties are still fit for purpose. Particular attention should be paid to their ability to mitigate risks around financial health, cyber, geopolitical and operational issues, especially around hazards related to restarting closed plants/offices.
To avoid the potential for fraud, it may be appropriate to continue to triage certain decisions, including those around interactions with clients and third parties.
2. Supplement the risk function with next-generation capabilities built on trusted data and analytics
Businesses will need to complement experience and judgement with next-generation capabilities built on data and analytics. In April 2020, EY’s Global Board Risk Survey found that fewer than 20% of board members are extremely confident in risk reporting from management on a range of significant issues. Now more than ever, CXOs must be able to rapidly bring together information sources from across the enterprise alongside external data, to allow leaders to develop a deeper understanding of more complex emerging risks.
With COVID-19 likely to create ongoing uncertainty, a data-driven approach will be critical to gaining comprehensive insight into the potential risks of a certain strategy over the long-term and considering a range of different factors. In particular, AI will allow the first line of defense to respond in real-time and give the second line of defense the confidence to focus on navigating the forward risk agenda with agility and resilience.
3. Embed the trust-by-design mindset
The COVID-19 crisis has highlighted the need for instilling a risk mindset and culture across the organization, while harnessing the ever-increasing types and sources of upside, downside and outside risk. While strategic changes can be made over time, risk leaders must have a seat at the table to provide a risk-informed perspective that can increase the trust of the business’s stakeholders.
Economic recovery from this pandemic is likely to be long and uneven. With experts warning of a second wave of COVID-19, leaders will need risk strategies that consider a range of scenarios for their businesses, as well as for suppliers and customers. And organizations must keep their eye on the bigger risk picture – other threats to business, including climate change, should not be overlooked. Key actions that can build a more resilient enterprise include:
1. Stress-test scenarios as part of contingency planning: Nearly 42 percent of CFOs are not prepared for a second wave of COVID-19, and only 8 percent of them have a second wave factored into all their planning scenarios, according to a recent Gartner survey. With many health experts warning of a re-occurrence of the virus, firms will need to brace for this and its associated impact on customers, employees, third parties and other critical functions. CXOs should develop a contingency plan and stress-test plausible scenarios for third parties, cyber, operations and regulations.