Anticipating the risk, managing the crisis, recovering
As the whole world knows, we’re in an unprecedented crisis, and many of us have been caught unawares by the COVID-19 global pandemic — even though there have been warning signs throughout recent history.
Bill Gates has been warning the world that we were unprepared for a pandemic since 2010. After interviewing him in 2015, Ezra Klein ofVox wrote that “a pandemic disease is the most predictable catastrophe in the history of the human race, if only because it has happened to the human race so many, many times before”.
As companies struggle to come to grips with the many unanticipated challenges emerging from the pandemic, they must understand they’ll need to change their approach to risk management. Risk management alone will not improve overall resilience and response and there for a more holistic approach when carrying out risk assessments is required.
What are the 4 Key Aspects of Risk Management and Resilience
There are four aspects to risk management and resilience that companies must internalise:
1. Anticipate Risks
We need to improve our ability to anticipate. Essentially this refers to our ability to assess our internal and external operating environment and identify the risks and opportunities faced to reach our strategic objectives. As humans, we are inherently not very good at anticipating — and a common response is “it has never happened before” or “that will never happen”. Risks are often managed and viewed in silos, each specialist risk area only looking at how risks relate to themselves. Risk Management as a discipline has evolved and should be a strategic enabler therefore a more enterprise view is required.
Enterprise risk management has undergone vast changes
In the past, companies were most concerned with mitigating losses. Risk management was seen as a ‘tick-box’ exercise that companies complied with grudgingly. Risk managers were appointed to manage risk and a silo approach prevailed — with various departments like health and safety or finance taking on responsibility. Companies focused on operational risk (what they could control easily) and applied different risk methodologies in various specialist risk areas. A static risk register on an Excel spreadsheet was the norm.
Today, we are far more focused on creating AND protecting value.
Risk is integrated into the business and presents various opportunities to build and safeguard resources. All staff should have a sense of ownership, applying a holistic risk and opportunity methodology and using dynamic, up-to-date information that is always freely available. Companies should consider strategic and project risk as well as operational risk, and look for value-adding information that brings about better decision-making.
What are the benefits of enterprise risk management?
Risk management should be a combined effort, with the risk team, business and assurance providers working together – and proactive behaviour should be the order of the day, with teams focusing on anticipating uncertainties and crises.
The aim is ultimately to put an early-warning system in place. If we can spot ‘red flags’, we can act promptly and with confidence. Providing combined assurance is an extra line of defence during a crisis.
It also creates stakeholder trust – if shareholders, customers and the public know that your company is managing its risks effectively, it will have a lot more confidence.
Some key actions:
- Understand the external and internal context – gather as much information as possible.
- Identify possible risks and understand the contributing factors.
- Rate risks to enable prioritisation of limited resources – What is the likelihood of each risk, and what would the impact be?
- Understand what you are already doing to respond to the risk.
2. Withstand Risks
We need to ask ourselves if our businesses have the operational resilience to withstand these events.
Millions of companies worldwide – restaurants, bars, theatres, gyms, cinemas, casinos – are either restricting operating hours and visitor numbers or closing their doors. Have we built in operational resilience and do we understand our response to “red flags”?
Some key actions:
- If you don’t have an adequate mitigating response in place, identify action plans, assign action-plan ownership, and stipulate due dates.
- Identify and track key risk indicators or red flags.
- Build operational resilience by identifying and addressing single points of failure.
3. Respond to Risks
Emergency response: An immediate response to an incident, where actions need to be taken swiftly to safeguard life, looks at limiting injuries and preventing the escalation of physical damage to assets. In the current crisis, it means safeguarding the wellbeing of staff and guests, putting disinfecting measures in place, and possibly shutting down affected premises temporarily.
Crisis management: Senior management must engage in strategic decision-making and provide leadership during the event/incident. This includes ensuring that the brand’s image and reputation remains untarnished (is the brand making the right decisions at the right time and informing stakeholders on a regular basis?). Can you be sure of stakeholder confidence at this time? What is being reported in the media?
Some key actions:
In terms of reporting incidents/potential cases of COVID-19, develop and test an appropriate protocol that is aligned with the World Health Organisation and local authorities.
- Activate crisis management plans (including crisis communications) to discuss a strategic enterprise-wide response.
4. Recover from Risks
Finally, we need to consider what it will take to recover – do we have a business continuity management plan in place?
Business Continuity: Can your company recover or continue with urgent or critical business processes and meet the predetermined recovery time objective (RTO) in order to minimise the impact on the organisation?
Disaster recovery: Do you have plans and processes in place that will help you to restore IT services, inapplicable? These services frequently support the business within an acceptable recovery time objective (RTO).
Companies that rely on outdated business models should change their approach and focus on building resilient ecosystems that can adapt. Importantly, companies should be able to adopt more flexible ways of working, and trust their employees to drive business forward in a way that differs from ‘business as usual’.
Some key actions:
- Your crisis management team should invocate a Business Continuity Management Plan.
- Implement a ‘work from home’ / flexible work strategy if possible.
- Change worker shifts to limit contact.
- Transfer the responsibilities of affected staff to others.
- Follow documented standard operating procedures.
Use these 4 aspects to mitigate risks and succeed
In conclusion, people are going to respond with panic and fear – it is a natural response. However, good leadership can mitigate this, by reassuring staff and guests, making decisive decisions, and taking a responsible approach.
COVID-19 will have a dramatic impact on our economy, but economic concerns should not override the legal and moral obligations that companies and governments have towards their employees and citizens.