Organizations can prioritize their response with three key steps for their ERM and other risk functions.
COVID-19 has changed the world as we know it. The associated speed and impact at which the world is changing is unprecedented, and the impacts on governments, businesses and industries are continually evolving. Recent events have also provided a new perspective on how we view and manage risk and, specifically, enterprise risk.
Organizations are now faced with the prospect of quickly and effectively responding to the “new” business environment — there is a renewed focus on enterprise resiliency that relies on coordinated risk assessment, planning, monitoring and response across the enterprise. Regardless of whether a formally defined enterprise risk management (ERM) program is in place, organizations need to trigger coordinated, interdisciplinary teams to leverage risk activities to identify potential events that may affect the entity, manage risk within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives. To quickly address this new environment, organizations can prioritize vital actions by focusing on the steps that ERM and other risk functions can be taking: respond to crisis, stabilize and optimize the business, and transform for sustainable growth.
Now: respond to crisis
During this phase, organizations will be keenly focused on ensuring the safety and health of their people and customers while still trying to manage their business model. Key areas that ERM professionals should support include:
1. Enacting previously developed preparedness plans
As organizations take immediate actions as COVID-19 spreads and forces operational disruptions and shutdowns, they must rely on a vital piece of risk response planning: business continuity and, specifically, pandemic preparedness plans. ERM professionals can focus on:
- People engagement and safety — support business continuity by assisting with cross-functional response teams to provide for remote working arrangements or infection protections if remote working is not available, and consider regular and transparent communications to inform and reassure employees.
- Customer engagement — keep customers apprised of impacts, stay in contact with suppliers, review terms and conditions on commercial relationships, and develop and test contingency scenarios for continuing operations in a restricted capacity.
- Liquidity — support building a portfolio of cash improvement actions, assist in cash forecasting, protect credit, tighten controls around customer exposure and collections, and reduce cash outflows.
- Stakeholder engagement — understand critical stakeholder priorities, support scenario planning and analysis to reforecast, address emerging challenges with a cross-functional team to ensure decision governance, and assist in coordinating and enabling clear communication.
2. Conducting rapid impact assessments
Given the high fluidity of the external and internal environment, ERM professionals should initiate rapid risk assessments with leadership. While executing on preparedness plans, the priority of the risks to the organization will be changing quickly, and leaders should be highlighting new risks that are surfacing. A weekly review of key risks to the organization, focused on the risks that need to be prioritized for response from limited resources, is key to managing the organization’s risk profile and risk appetite in the time of crisis.
3. Informing on risk mitigation gaps due to capital outflows
The efforts that the organization puts forth to manage its people, customers, stakeholders and its own financial stability require capital. ERM’s role is to monitor risks where capital may be shifted away from existing risk mitigation and ensuring management is aware of new exposures that may surface as a result. For example, as many organizations shift their workforce to a remote working model that puts additional stress on the IT infrastructure, they may require additional capital to mitigate the increased IT-related exposure. Given the need to focus on immediate organizational needs, having gaps in some risk mitigations may be acceptable to leadership. ERM professionals should assist leaders in identifying where gaps exist and help leadership make risk-informed decisions about capital allocation across its portfolio of risks.
Next: stabilize and optimize
Leaders need to consider that the definition of “business as usual” for their organization has likely changed. When the organization undergoes a significant disruption, it needs to reassess its performance objectives, strategy and risks to sustaining that strategy. With these changes in mind, refreshing the organization’s enterprise risk profile is essential. In order to do this, ERM professionals need to consider the following:
1. Determine if and how your organization’s performance objectives and strategies have changed
Every company measures performance, whether it’s qualitative or quantitative. The goals for performance may be quantitative — for example, grow revenue by 10% or gain market share by 1 point, to more qualitative measures such as be one of the top employers in the local area.
Given the changes that the world has seen with COVID-19, ERM professionals should consider asking questions such as:
- Do our performance goals still make sense, or do they need to be adjusted? For example, is it realistic to increase market share when our company was disrupted for an extended period of time?
- Are our existing strategies positioning us to achieve the performance objectives?
- Are we exposed to new outside risks that require us to re-evaluate our strategy?
Executives may need to reassess their strategies in the post-COVID-19 world and adjust them and reprioritize projects, as needed. If this does occur, ERM professionals should drive a refresh of the risk profile of the organization considering the updated performance objectives and/or strategies.
2. Consider the context of the new external environment
COVID-19 has shown us that the world is more connected than ever before. As stewards of risk within an organization, ERM professionals should ensure that economic and overall environment changes are considered as part of assessing the organization’s risks.
Looking back on lessons learned from COVID-19 and identifying where the organization is vulnerable or interdependent is important. For example, while third parties may be diligently monitored with formal procedures, standardized contracts and other mitigations, the financial viability or operational integrity of third parties likely changed as a result of COVID-19. ERM professionals are implored to re-evaluate the risks that third parties bring to the organization considering the new environment.
3. Evaluate internal and operational changes
It is also important to account for changes to each organization and how those changes may impact the risk profile. Questions the ERM function should ask to help understand these changes may include:
- Did we take on additional leverage and increase our financial‑related risks? If so, how much?
- Were divestitures necessary to meet cash requirements, thereby changing our business?
- Is there a decreased (or possibly no) market for a particular product/service as a result of the closures? Is it fair to assume that market can come back to its previous levels?
- Did we lay off people and are now operating with fewer resources?
Related to these questions, the acceptable risk tolerance levels will need to be revisited. Similar to step 3 of Respond to crisis, allocating capital singularly to the COVID-19 pandemic response may have pulled capital from other important risk mitigation efforts, and the organization may now be operating outside of previously defined acceptable risk tolerances. For example, an organization with five key cyber risks may now have a reduced workforce and may not be able to address patching or mitigation on system configuration or cyber awareness around potential phishing attacks. Keeping this in mind, the individual risk tolerances and the company’s overall performance (risk) appetite for risk will need to be revisited and potentially adjusted.
4. Don’t forget the upside of risk
While COVID-19 has resulted in negative impacts across multiple industries, it is important to consider potential upside opportunities. It’s expected that shutdowns will negatively impact the financials of many businesses; however, ERM professionals can help their organizations identify where there may be desire to take on more risk. ERM can help executives and other business leaders identify new opportunities for growth. For example, some manufacturers may be able to reconfigure their facilities to provide health care workers with needed supplies (increased demand) in a pandemic.
Being agile is important to capture new opportunities. Organizations need to consider how their business can adapt their operations or services to align with the revised needs of the market. The role of the ERM professional should be focused on ensuring that the risks and/or opportunities are assessed to align with the company’s adjusted risk tolerance levels. In the same example as above, understanding the risks associated with manufacturing new products should be a key part of the analysis prior to making a final decision.
Reassessing risks or new opportunities does not need to be cumbersome and time-consuming, especially considering many businesses will be keenly focused on revenue-generating activities. Keeping the assessment simple and utilizing technology and automation will speed the process. Reassessing the risk profile will provide vital information to help leaders make risk-informed capital allocation decisions to stabilize and optimize operations as recovery and rebuilding happens.
Beyond: transform for sustainable growth
The final step is to look beyond COVID‑19 and position ERM to add organizational value for 2020 and beyond. Boards and executives will likely be asking what can be done to be better prepared for risks in the future, and it will fall on ERM professionals to improve on the existing risk process. Potential areas of focus may include:
- Transforming from qualitative to quantitative (quantifying risk exposures)
Recent events have shown the value of quantifying risk when we were presented with the “flatten the curve” distribution of COVID-19 cases. Understanding the quantitative exposure of a risk and comparing it to the acceptable risk tolerance levels will play an instrumental role in informing leaders’ capital (resource) allocation decisions. The change in the overall economic and business environment implores revising the underlying scenarios that are the base of the quantification and providing an updated value of risk exposure to the company. A practical way for organizations to increase their overall program maturity is to pilot risk quantification with one to three key risks. The pilot will provide leadership with objective risk insights and allow leadership to determine the value of expanding risk quantification to the rest of the risk portfolio.
- Leveraging data analytics and metrics to support ongoing risk monitoring
Once risk exposure and tolerances are better understood, risk monitoring should be part of the ongoing activities of the ERM function. Organizations must develop key risk indicators (KRIs) to support actionable risk monitoring to provide some early warnings of possible risk changes. Each risk must have unique KRIs, and ERM professionals can assist business leaders in identifying and tracking the appropriate metrics.