Risk management experts discuss the COVID-19 pandemic and its impacts on risk management, resilience and business continuity
- Published: Thursday, 09 April 2020 09:07
In an interview-style article, experts from the Institute of Operational Risk and Institute of Risk Management discuss COVID-19 and how the risk management profession is reacting.
Participants: Carolyn Williams, CMIRM, Director of Corporate Relations, Institute of Risk Management and Dr Jimi Hinchliffe, SIRM, Chairman, England and Wales Chapter Institute of Operational Risk.
Question: Is the coronavirus likely to mark a turning point for the risk management profession?
Dr Jimi Hinchliffe
Yes, in so far as this is the latest iteration of a known virus that could recur or mutate in the future i.e. it may not just be a one-off risk that will go away.
Business continuity and crisis management are a major focus for financial firms and have been brought into even greater focus by global regulators attention on operational resilience. COVID-19 is providing a real test of organizations’ business continuity management arrangements and continuity planning and is keeping continuity specialists, operational risk managers and Boards extremely busy. A core principle of risk management is to learn from experience and improve, and I am sure that there will be lessons from the experiences of dealing with the challenges of COVID-19 which will result in improved resilience and better risk management.
It certainly seems like coronavirus will prove to be a landmark in how countries, organizations and individuals deal with external strategic risks, in the same way as 9/11 or the global financial crisis. We will be talking about this for years to come, not so much in relation to the physical nature of the illness, but more in terms of the highly disruptive measures that are being taken to reduce the spread of the virus. And at the current time, we still don't know the full extent of those measures, or their second order impacts as organizations are hit by the restrictions, revenues are impacted and economic growth curtailed. Organizations like the World Economic Forum have had pandemic on their lists of top global risks for a long time, so no one should really claim to be surprised - it's not a Black Swan, in its strictest sense, although having a resilient organization will still prove to be the best defence.
Question: What do you think will change in the longer term as a result, in terms of business resilience and risk management. For example, do you expect companies to make changes to supply chains and staffing to build resilience?
Dr Jimi Hinchliffe
One of the challenges of improving resilience is to have the ‘Plan B’ and even ‘Plan C’ to ensure continuity of business services even where there are severe operational disruptions. This certainly includes having backup supply chains and redundancy in resource and system capacity. One of the challenges facing the industry is that a lean and efficient organization isn’t necessarily the most resilient. ‘Redundancy’ is often seen as inefficient, yet it’s critically important for operational resilience.
I would expect to see organizations taking business continuity arrangements much more seriously, in particular testing of plans. We will learn a lot about what are the vulnerabilities of the organization and about decision-making and communications - what works and what doesn't - in crisis situations. I would also expect boards to pay more attention to global strategic risks, thinking the unthinkable in relation to things like power blackouts and antibiotic resistance. And on the basis that 'it never rains but it pours' I expect we are also going to learn a lot about interconnected risks - tech firms are already issuing warnings that the disruption from COVID-19 could provide an entry point for cyber attacks, at the same time as a proportion of your security staff are absent.
Question: In particular, might it result in an investment in risk management? Scenario planning? A bigger role for risk managers?
Dr Jimi Hinchliffe
Crises tend to remind firms of the importance of investing in good risk management - following the global financial crisis many firms invested in their risk management teams. I certainly expect the COVID-19 crisis to again increase attention on the value of risk management, and that we may see firms enhancing their resources, capabilities and looking at their systems and reporting. Also, although a crisis tends to result in a short-term focus on sound risk management and its benefits, this may then diminish as the corporate memory does. However, this time may be different with the regulatory focus on operational resilience under the SM&CR regime and the emergence of climate risk. Even if it doesn’t result in significant expansion to the risk function or changes to risk management frameworks generally, it will almost certainly lead to increased resources for resilience specifically e.g. IT, supply chain, HR, remote conferencing / working capabilities.
Mega-risk events do change behaviour (e.g. airport security), sometimes driven hard by regulation, which we should expect in the aftermath. I would expect some retrospective assessment of whether organizations' risk management frameworks and processes were looking at the right risks in the right way. Some of the recent work that IRM has supported at the Cambridge Centre for Risk Studies has built upon their extensive work modelling the impact of significant risks on the financial position of organizations (and also on the GDP of whole countries). I would expect to see more of this type of scenario based analysis as it helps to identify in advance the potential financial impact, or value at risk, and thereby give some support to investment decisions.
Question: Will risk management departments have been able to demonstrate their value in this crisis, or might the crisis have exposed limitations/shortcomings? What are likely to be the lessons for risk managers - i.e. what could they have done better if they had the resources and the frameworks in place?
Dr Jimi Hinchliffe
It’s impossible to say what the lessons learned will be until the crisis is over. However, I’m sure there will be lessons to learn and there will be opportunities to improve and become more resilient for the next crisis or challenge that comes our way. These kind of major challenges are best managed by a team, including senior risk owners in the first line of defence and with operational risk managers in the second line of defence to provide oversight, challenge and advice. One of the challenges for second line operational risk managers will be to ensure there is a balanced, proportionate and common sense approach.
Will risk management departments have been able to demonstrate their value in this crisis, or might the crisis have exposed limitations/shortcomings? What are likely to be the lessons for risk managers – i.e. what could they have done better if they had the resources and the frameworks in place?
Time will tell as we see which organizations make it through the crisis, and what were the key survival factors (some may even come out stronger). I think the big lesson will be that organizations need to have modern, forward thinking risk teams in place, with the resources to do their job properly, but also that risk management can't just be kept in a box and seen as the responsibility only of the risk team - it's a competence that that all managers in the organization, the first line of defence if you like, need to have.