How can data help you manage the rapidly changing landscape of risk? How can data help you manage the rapidly changing landscape of risk?

Governments across the world are reducing restrictions on movement and business openings as COVID-19 curves flatten. But many countries are likely to turn these restrictions on and off, as the health crisis continues to evolve.

Businesses will need to adapt to these changes and bring a new risk mindset to the challenges of operating in this current phase of the pandemic. The unprecedented impact of COVID-19 has challenged previously held assumptions around plausibility and severity. As businesses adapt operations and build resilience, they will need an enhanced approach to risk that encompasses:

• Agility: Businesses must be able to act immediately and urgently when new risks are identified and also continue to interpret and detect rapidly emerging risks in a very different landscape. 
  
• Data-driven approaches: Leaders will need to shift from relying on subjective judgement towards adopting data-driven approaches – ones that link internal and external data to feed smart decision-making that aligns to firm strategy and risk appetite.

 Adapting operations

The impact of COVID-19 has created immediate implications for managing risk and raised questions around the longer-term approach to preparing for disruption. For most businesses, lockdowns have affected governance and controls across the organization, and leaders now face the challenge of reintroducing these processes as operations restart.

The disruption created by COVID-19 has also highlighted the need for greater insight into how risks faced by third parties and customers impact the business. Businesses must also ensure they have the ability to quickly elevate emerging risks as operational recovery progresses. And the importance of the right data at the right time has never been greater – amid uncertainty, leaders must use data to supplement their judgement and enable dynamic decision-making.

Key actions to tackle these challenges include:

1. Reinstate and update risk governance and internal controls

As operations transition into the next phase of recovery, leaders should take a thoughtful and measured approach to reinstating controls while also assessing where changes are needed. They may need to update internal controls on financial reporting and realign with the external auditor in critical areas (e.g. scope, materiality, timing of procedures).

Rebuilding trust with employees, suppliers and customers will also require a reassessment of whether current monitoring and support protocols of internal operations and third parties are still fit for purpose. Particular attention should be paid to their ability to mitigate risks around financial health, cyber, geopolitical and operational issues, especially around hazards related to restarting closed plants/offices.

To avoid the potential for fraud, it may be appropriate to continue to triage certain decisions, including those around interactions with clients and third parties.

2. Supplement the risk function with next-generation capabilities built on trusted data and analytics

Businesses will need to complement experience and judgement with next-generation capabilities built on data and analytics. In April 2020, EY’s Global Board Risk Survey found that fewer than 20% of board members are extremely confident in risk reporting from management on a range of significant issues. Now more than ever, CXOs must be able to rapidly bring together information sources from across the enterprise alongside external data, to allow leaders to develop a deeper understanding of more complex emerging risks.

With COVID-19 likely to create ongoing uncertainty, a data-driven approach will be critical to gaining comprehensive insight into the potential risks of a certain strategy over the long-term and considering a range of different factors. In particular, AI will allow the first line of defense to respond in real-time and give the second line of defense the confidence to focus on navigating the forward risk agenda with agility and resilience.

3. Embed the trust-by-design mindset

The COVID-19 crisis has highlighted the need for instilling a risk mindset and culture across the organization, while harnessing the ever-increasing types and sources of upside, downside and outside risk. While strategic changes can be made over time, risk leaders must have a seat at the table to provide a risk-informed perspective that can increase the trust of the business’s stakeholders.

Building resilience

Economic recovery from this pandemic is likely to be long and uneven. With experts warning of a second wave of COVID-19, leaders will need risk strategies that consider a range of scenarios for their businesses, as well as for suppliers and customers. And organizations must keep their eye on the bigger risk picture – other threats to business, including climate change, should not be overlooked.  Key actions that can build a more resilient enterprise include:

1. Stress-test scenarios as part of contingency planning: Nearly 42 percent of CFOs are not prepared for a second wave of COVID-19, and only 8 percent of them have a second wave factored into all their planning scenarios, according to a recent Gartner survey. With many health experts warning of a re-occurrence of the virus, firms will need to brace for this and its associated impact on customers, employees, third parties and other critical functions. CXOs should develop a contingency plan and stress-test plausible scenarios for third parties, cyber, operations and regulations. 

2. Realign risk management frameworks with the new normal: Even as some normality returns post-COVID, EY anticipates that the path of economic recovery will be up-and-down and saw-shaped. Ongoing volatility creates a need for far more agile operating models and a risk function that can maintain effectiveness even as it flexes. The pandemic has also seen some risks become more prominent. The sheer size and scale of government support and stimulus programs will likely give rise to potential tax increases – businesses will need to monitor and prepare for the associated, significant risk. Risk frameworks and controls must evolve as conditions change.

3. Don’t neglect other megatrends and associated risks: Even as firms focus on recovering from the COVID-19 pandemic, they need to keep an eye on the various megatrends on the horizon. Some, like digital transformation and future of work, have been accelerating, making digital trust, in use and design of technologies, even more necessary. Others, such as climate change, may have temporarily receded in prominence but will come back into focus once conditions stabilize. Carbon regimes may emerge as a favored policy alternative, as governments seek to address deficits while tackling climate change. Risk leaders will need to stay abreast of all these factors to understand the impact of current proposals and potential strategies. 

Reframing risk for future resilience

COVID-19 has highlighted the importance of embedding risk management across the organization and of continually reviewing the effectiveness of controls. The crisis has created an urgent need to overhaul traditional approaches to managing risk, as the importance of data-driven, analytics-enabled decisions becomes critical. Those risk leaders that can harness data to reframe their risk mindset will support their organization to adapt more quickly to changed conditions and increase resilience for an uncertain future.