After two decades of focusing on risk management in a continually disruptive business environment, the epic failure of preparedness for the COVID-19 pandemic is teaching American companies a hard lesson. It’s time to rethink how organizations approach risk management. If we didn’t understand that many risk management plans are the result of known implications and proven mitigation efforts in a static environment, we surely do now. There is nothing static about this virus. Nor can we expect the next crisis to be more predictable in what has become a globally volatile, uncertain, complex and ambiguous environment (“VUCA”). This pandemic is an opportunity for risk managers to reimagine their approach for a highly uncertain future.
A critical consideration in rethinking risk, is to “elevate” risk management from a “check the box” compliance/crisis management function to a continually evolving strategic planning function necessary for the very success and survival of the business. A good first step in that direction is to determine which changes the organization made during the pandemic should become permanent. In doing so, organizations must change the way they approach risk, including identification, assessment, monitoring and reporting of risks. Businesses need to look for opportunities to automate compliance activities to devote more time to strategic scenario planning.
At the outset of disruption, business leaders need a clear picture of current state and potential developments/outcomes. Risk leaders have to have access to data, the right analytical tools (including predictive analytics), and the ability to communicate with the organization in real time or near-real time. Further, the risk team should be prepared to provide early warnings of emerging risks to support decision-making with actionable insights and recommendations.
Another consideration is to reevaluate “risk appetite,” or the level of risk that an organization is prepared to accept in pursuit of its objectives. Risk thresholds may change as a results of revisions to the business model due to the pandemic. Changes to risk thresholds should include a strategic needs and expectations analysis on all stakeholders, customers, employees, the board, vendors, partners, investors, the media, the community, and society at large that considers more than the immediate effects but, also, “knock-on,” or indirect, secondary, cumulative effects
Scenario planning must be more robust and inclusive. To begin, organization might review and reassess their scenarios in light of the current situation. Going forward, scenario planning should be a multidisciplinary effort that includes risk experts, business leaders and IT specialists who understand how to assess the sensitivity of each scenario on the existing infrastructure, thus linking operational risk to operational resilience.
The organization should assess its current controls for efficacy. Review of key risk indicators (“KRIs”) and key control indicators (“KCIs”) must be frequent and timely to match the frequency of changes in risks. Review of action planning should follow KRI and KCI reviews and be linked to decision-making and the overall business strategy. Likewise, technology tools and optimal data collection must enable meaningful monitoring and reporting.
The reality is that the future is a moving target. Companies will need to be extraordinarily agile in making good decisions quickly under extreme conditions. Inertia is the enemy of planning in a VUCA environment. Risk should be an enabler of strategic risk management and not a hindrance to decision-making. Fast decisions, viable solutions and immediate engagement are the hallmarks of strategic risk management.