As a new virus, there remain many scientific and medical uncertainties associated with Covid-19 which will continue to challenge organisations’ ability to plan and recover with high degrees of confidence.
Now that many countries are beginning to ease lockdown provisions, organisational pandemic risk models should evolve their focus beyond survival to sustained operation under constrained conditions, and assessment of longer-term strategic value drivers and recovery in likely structurally changed environments.
Closer integration of resilience concepts and practices with Enterprise Risk Management (ERM) is anticipated to be a developmental focus during and post-Covid. This may include more routine scenario and risk correlation analysis with changes in risk reporting to better understand rare, complex and high impact risks and vulnerabilities, strengthened / formalised collaboration between risk and resilience practioners across the lines of defence, and risk-based determination of organisational resiliency positions.
Ongoing developmental trends in ERM, such as digitalisation and practical articulation of risk appetite, should benefit from renewed focus and investment in the discipline as a result of the pandemic shock.
Pandemics are a known risk, although notable by their absence from many organisations’ risk registers. Putting aside the taxonomy of coloured animals, we know that full-blown pandemics are thankfully rare but, as the world is experiencing, can have immense consequences on our way of life.
There are many scientific and medical uncertainties with this new strain of coronavirus, including:
how many people have been infected and whether immunity to reinfection is robust and for how long this lasts;
if there are any genetic, as well as environmental, determinants of susceptibility and severity of infection;
how might the virus mutate;
will there be unexpected clinical consequences of infection and national responses;
if effective vaccines and therapeutic drugs can be developed, how quickly will they be available en masse;
whether contact tracing and other national mitigation measures will be effective; and
how subsequent waves of infection will manifest.
These uncertainties present extremely difficult risk appetite decisions for governments balancing containment and control measures to protect life vs. relaxing lockdown provisions and restarting the economy to avoid the cure potentially causing more suffering than the disease.
For many businesses, survival and damage limitation has, unsurprisingly, been the immediate focus of leadership teams, line and functional management: ensuring staff safety and wellbeing, cash preservation and financial covenant protection, proactive engagement with clients and suppliers, enabling remote working at scale, and maintenance of skeletal operations and so on.
Those organisations with robust Business Continuity Management (BCM) and resiliency capabilities, especially those that have previously analysed pandemic risk scenarios, will hopefully have reaped the benefits of this investment by having a solid understanding of who and what is critical with pre-defined procedures to protect, maintain, shut-down and recover activities accordingly, easing some of the pressure on management. However, the severity of this pandemic and associated governmental responses, coupled with its myriad of interconnected risks, is still likely to have significantly challenged those organisations that were relatively well prepared, never mind those that have not adequately invested in their risk and resilience systems.
We are obviously still in the early stages of this pandemic, although many countries now appear to be past the peaks of the first waves. Governments are now debating how to restart their economies, so the joys of professional hindsight to critique with certainty any ‘failures’ in the disciplines of risk management and resilience may have to wait a while. That being said, it is to be expected that questions will be asked as to whether these systems and capabilities are optimally structured and resourced so that they adequately prepare, protect, and enable organisations to recover from extreme and complex risk events, in addition to the more familiar and mundane risks that often consume leadership focus.
So what should risk and resilience functions currently be doing to help their organisations manage and recover from this crisis, and how might they evolve during and in a post-Covid world?
Is Enterprise Risk Management (ERM) irrelevant for managing risk scenarios such as a pandemic, as in practice it is too high level and focused on showing blobs of well-known risks on a heatmap every six months? How is risk appetite useful if it has been developed as a series of vague ‘red line’ sentences for discrete risks and is independent of upside and risk correlation? Does parroting the need for more robust and predictive data to better anticipate and manage risks fall on deaf ears as it isn’t backed up with tangible outputs?
What actually is resilience, be that enterprise, organisational or operational? Is it really just ‘sexed-up’ BCM? Is it risk agnostic, being an innate ability to cope with, adapt to and recover from any type of threat or disruptive event? Is it a subset of ERM, constituting the controls and activities to mitigate disruptive risks? Is ERM a subset of resilience, and should therefore report under a Chief Resilience Officer?
The answers to these deliberately provocative questions are already pretty clear for a number of organisations and practioners, although we still do encounter some fairly contentious opinions on these challenges, definitions and hierarchy, with personal views often depending on where a practioner’s background and loyalties lie. Of course, there is no right or wrong answer either, as structure, approach and maturity of second line functions and disciplines (as well as first line practices and third line assurance) will be specific to the resources of an organisation, its risk profile and the outcomes it is trying to achieve.
What is fair to say though is that there are many precedents, developments and initiatives across the disciplines of risk and resilience (including ERM, BCM, Insurance, Supply Chain Risk Management (SCRM), Environment, Health and Safety (EHS) etc.) that are already established and available for organisations to consider and potentially apply to support their management teams through this crisis and with recovery, as well as guiding the longer term structural evolution of these disciplines and enhancing the value they provide.
Outlined below are our thoughts on some of the (interrelated and reinforcing) techniques, characteristics and qualities we feel are worthy of consideration when evaluating future design and practice and how they could be adopted in an ERM framework, although we note that this is an expansive and evolving area of thinking so this is by no means a comprehensive list. Common themes include more routine development and use of scenario analysis and stress testing to understand rare and complex risks (using this pandemic as an example), closer collaboration between the organisational disciplines and functions that underpin risk and resilience, and renewed focus on risk appetite taking account of stakeholder tolerances and structural changes in business models and markets.
Building a pandemic risk model
The pandemic has created a range of new risks and obviously affected the severity of many others, with multiple correlations evident (risks that have relationships) e.g. increased cyber risk due to remote working, heightened fraud activity due to strained control environments and opportunistic criminals etc. A sample of common areas of risk we are seeing clients consider includes:
Most organisations will have convened crisis teams to pool subject matter expertise across the wide range of business and risk areas the pandemic is affecting, supplemented with feeds of a suite of data sources and forecasts (e.g. from World Health Organisation, government agencies, trade associations etc.) to provide insights on status of the pandemic by country and rapid response, planning capabilities and capacity. No doubt, many organisations should also be rightly proud of the way their people have come together to successfully work under novel and traumatic circumstances.
ERM and BCM teams, among many others, will likely be critical participants engaged in crisis response, but has the existing ERM approach and outputs actually helped the organisation in this context? Traditional enterprise risk assessment is focused on uncertain events that can affect core strategic objectives, typically being performed once or twice a year in many organisations and producing a reporting shortlist of a small number of ‘top’ risks. In the current environment, this is unlikely to provide management and leadership teams with the depth of actionable risk insights they need, nor obviously at the right frequency. Scenario work by BCM teams may provide a more fertile source of intelligence, depending on stress severity assumed and how comprehensive the risk and sensitivity analysis performed was, although the scale, length and complexity of this pandemic has probably taken even the most conservative planners by surprise.
Many organisations will have already performed some form of pandemic risk assessment / model development, as well as undertaking and feeding in financial modelling, workforce and supply chain reviews etc. to provide insights on how best to survive the initial stages of the crisis.
As countries across the world now slowly start to relax lockdown restrictions, pandemic risk models should be evolved so that they also reflect (if they do not already) key value drivers (i.e. those capabilities, activities and other factors which materially determine the company’s ability to create and add sustained value), assumptions and dependencies inherent to the business model and strategy. This will facilitate identification and evaluation of new and changed risks of relevance and the mapping of each driver’s associated risk sensitivities over current and future phases of the pandemic, as well as how potential governmental and third party network responses (and internal mitigation actions) across key markets may affect them. Phases considered should include periods during lockdown and containment, when these conditions are eased / how and economic activity begins to ramp back up, and longer-term post-pandemic recovery over a range of timelines and assumed trajectories / structurally changed market environments. This will enable stress testing and risk forecasting of the business model / strategy under different scenario and stress conditions, both singularly and in combination e.g.:
As outlined in our blog on emerging risk management (www.mercandco.com/post/emerging-risk-management), developing such a model will typically require input and ongoing support from a broad range of functional areas throughout the business such as Strategy, Finance, Marketing, HR, Legal, Procurement, as well as second line risk and resilience focused disciplines such as ERM, BCM, Insurance, Compliance etc. and Internal Audit (although the latter may need to be kept independent to provide assurance over e.g. the reliability of input data and model functionality).
Once relevant risks and exposure levels under different scenarios have been characterised, risk correlation analysis needs to be performed as looking at risks in isolation may provide an inaccurate picture of reality and compromise prioritisation and mitigation responses. Ask: which risks can interact, influence and occur together and what could be the aggregate impacts, financial and otherwise? Interrogate what is the nature and strength of these relationships, and how they could affect organisational status and performance so a quantified assessment of correlation effects can be derived.
Note also that new or revised risk assessment criteria and reporting, different from existing ERM templates, may need to be defined to facilitate risk evaluation and comparison e.g. refined financial criteria for cost inflation, brand equity, customer / supplier attrition etc. Ongoing reviews by the convened expert group of risk status and subsequent leadership reporting will likely be needed.
Risk appetite should also be a core consideration by leadership in determining strategic and risk responses – short-term decisions on, for example, employee retention, public statements, customer engagement, contractual enforcement, supplier payment, senior management pay etc. could have longer-term trade-offs on brand perception and customer loyalty. Depressed asset prices and weakened competitors may present strong opportunities for those prepared to take on more risk. Explicitly defining and quantifying the upside and downside balance of these options and decisions, adjusted for the heightened levels of uncertainty inherent to a pandemic environment, should help provide an objective framework when making such calls.
Second line functional integration and collaboration
For many years there have been calls to remove siloed ways of working between second line risk and resilience functions and practice areas (and some first line activities e.g. SCRM), but many organisations have yet to achieve this. It clearly makes sense to pool resources and share expertise and data where this will provide a beneficial outcome to the organisation’s protection and efficiency, and ability and capacity to take risks to exploit opportunities.
As noted above and below, scenarios such as a pandemic require the inputs from and coordinated response of many different actors within an organisation to understand impacts and to develop effective response strategies and capacities, so one of the silver linings from this Covid ordeal maybe that collaboration becomes more structural.
This need to work together is unlikely to dissipate with numerous draws on collective expertise expected. For example, post-Covid there is likely to be pressure for more ‘fat’ or redundancy to be introduced into business processes and supply chains to address fragilities that can be caused by overly lean, high-efficiency operations e.g. aspects such as single sourcing, product specificity, offshoring and outsourcing, inventory holding, just-in-time delivery etc. This is certainly not a new concept, but the view of resilience therefore as an enabler of desired outcomes, rather than a cost, should now be better understood and embraced by stakeholders, although setting and communicating the right balance will be challenging and depend on multiple expert inputs.
Although investors, for example, may likely be more open to accepting reduced financial returns due to investments made by organisations in their resilience and the associated efficiency trade-offs (if clearly justified and communicated), defining this balance will require close collaboration between relevant functions that are advising leadership teams to help articulate their ‘resilience’ risk appetite, as well as examining how they themselves self-contribute to efficiencies in the ways that they work.
Soft tactics to promote integration could include agreeing a common language and aligned methodologies for risk and resilience throughout the organisation, routinely sharing Function plans and reporting outputs, joint exercises, initiatives and projects, as well as social engagements. More formal mechanisms, if appropriate, could include revised governance and reporting structures (what does the ‘R’ in CRO stand for?) and joint financial and performance targets and incentives.
This is currently a key focus in UK Financial Services in response by regulators to major disruptions to service provision suffered in the recent past by several financial institutions, and exemplifies many aspects of good practice that is relevant to the future development of risk and resiliency management across all sectors.
Operational Resilience (OR) focuses on resilience as an outcome, traversing organisational siloes. It is characterised by a collaborative and coordinated effort of all actors within an organisation that can influence and affect the continued operational provision of critical services to customers, so includes second line functions as well as focus on process architecture, third parties, infrastructure and technology assets, and the workforce. A key influencer in defining OR positions and capacities is a concept known as Impact Tolerance – what level of disruption will customers tolerate before this becomes unacceptable to them and they suffer some form of ‘harm’; this serves as a lens to evaluate whether a level of resilience is sufficient from a customer, rather than e.g. a technology cost perspective. (We discuss Impact Tolerance in our blog here: www.mercandco.com/post/impact-tolerance-easier-said-than-done).
Although obviously focused on operational disruption, and perhaps not initially envisaged for such an extreme and lengthy tail event as this pandemic where rules are being rewritten and profound structural change is afoot, many of its principles are relevant to a wider consideration of risk and resilience: an integrated, outcome based approach, focused on a comprehensive understanding of what and who really matters in an organisation to sustain the critical services it provides.
Of note is that when considering wider organisational resilience, such as the ability to withstand financial shocks, loss of customer demand etc., the focus of Impact Tolerances may benefit from being broader: organisations have a wide range of stakeholders, as well as customers, so having an understanding of what they would tolerate in terms of erosion of the benefit provided to them and others will further help refine the risk and resilience strategy (see our blog on stakeholder risk at www.mercandco.com/post/the-rise-and-risk-of-stakeholders).
ERM framework structure
Rare, highly connected and complex risks such as this pandemic are arguably beyond the current practical design remit of many organisations’ ERM systems which tend in reality to be biased towards identifying and reporting on risks that have higher probability, simplicity and familiarity to the audience. Does this therefore mean that ERM is not fit for purpose?
There are common weaknesses we often see with ERM system design and execution (see www.mercandco.com/enterprise-risk-management for some examples), but as noted above, current approaches to ERM tend to focus on the most significant, singular risks to strategy based on their assessed impact and likelihood. Risks assessed as very low likelihood, such as a pandemic, tend to be deprioritised by leadership teams and oversight committees who understandably are more concerned by those risks they think could be most problematic in the near term.
A number of questions arise from this:
Should risk heatmaps be phased out?
How should risks be prioritised for focus?
Should risk governance bodies spend more time looking at rare risk scenarios and ignore probability?
Should ERM teams spend more time performing scenario analysis and stress testing, and better align with and integrate resilience concepts, and if so how?
If organisations find heatmaps useful then they should probably be retained (although how far outside appetite a risk currently is, rather than an arbitrary impact and likelihood score, would be a more useful measure / visualisation). However, heatmaps should not form the sole basis of risk review and prioritisation – low probability, high impact risks cannot be ignored. This is not new thinking, and deprioritisation of risk probability as a determinant of management focus has been advocated by a number of advisers for years i.e. if a risk could have a very large impact it needs to be formally addressed, regardless of its likelihood.
Risk reporting should therefore be supplemented with outputs from additional analyses, with deep dives and regular updates on risk areas of significance beyond those on the heatmap being a routine activity and included as a standing item in reporting. There is a broad array of methods that can be deployed to evaluate more complex, emerging and interconnected risks: scenario analysis and stress testing including consequence based approaches (starting from extreme stress levels and working back to identify risk pathways) leveraging internal and external experts as noted above, risk correlation analysis, bow tie analysis, quantitative modelling etc.
The outputs of such analysis will also enable predictive risk indicators and alert signals to be determined and mapped to internal and external data sources to facilitate ongoing monitoring of causal drivers of risk exposure and precursors of organisational stress conditions. This is relevant to setting risk tolerances (a threshold at which a metric value becomes of concern / unacceptable) and having early warning of changes in risk status to enable timely response and interventions. It should also provide an efficient mechanism, particularly if monitoring is automated, to manage rare risk scenarios when aligned to resilience positions and response strategies. As noted earlier, the levels of resilience developed within an organisation in terms of the trade-offs made between cost and efficiency across its operations and supply chains will be one of the core areas of risk appetite that Boards will need to rethink post-Covid.
Organisational investment in risk and resilience capabilities is expected to increase due to the experience with this pandemic. As well as potentially changing the way ERM operates, this should also provide a boost to developmental initiatives that have been going on for some time such as digitally enabled risk management that better leverages technology, the data landscape and Artificial Intelligence (AI), structural integration of risk management with business as usual activities and strategy setting and execution, and articulation of risk appetite such that it lives up to its definition as a coherent expression of the quantum of risk the organisation wishes to take to execute strategy.
The challenge to successfully manage and recover from this pandemic is enormous, and tragically many people have lost their lives and loved ones. Unfortunately, many businesses will also not survive the stresses these circumstances create. I hope that this article provides some useful food for thought to help organisations manage through this difficult period, but I also recognise that the disciplines of risk and resiliency management are not a panacea, and this is an extremely broad and complex area with a great deal of uncertainty, of which this article touches on only a small part. If you have any questions, or would like to discuss any areas I have raised, please drop me a line, always happy to chat through.