Much like the financial crisis in 2008, the COVID-19 pandemic has prompted many organizations to rethink their approach to risk. As disruptive as the events of this year have been, they've also served to reinforce the value of strategic risk management principles.
During the pandemic, many organizations have found gaps in their risk management strategies. These setbacks can provide an opportunity for risk managers to reconsider their approach and enhance their ability to uncover and mitigate emerging risks in the future. The next significant threat to an enterprise could be, among other things, policy changes, geopolitical conflicts, volatile financial markets, natural disasters and industry disruptions.
Identifying and preparing for the risks on the horizon is the primary task of a risk manager. By anticipating risks - and creating a sound foundation for addressing and mitigating them - organizations can become more operationally resilient to navigate potential impacts. It takes dedication to both the process and cultural change. Take these three steps to help your organization get ready for the unknown.
Adopt a Formal Risk Assessment Process -- Before You Need It
Organizations that follow a formal process for managing risks are more resilient than those that take an ad hoc, reactive approach. Risk assessment comes in degrees of maturity. First, it takes a board-level understanding of, and commitment to, risk management, as well as consistent and routine risk reporting throughout the organization. Aon’s most recent Risk Maturity Index Insight Report even noted higher stock price volatility for organizations with less sophisticated risk management practices.1
When you have board-level commitment and consistent, organization-wide reporting, it should be followed up with data and analytics. Risk managers should look for data on potential threats beyond industry groups. All the data should be run through a formal collection and review process with a governance structure that rolls up to decision-makers.
A comprehensive risk assessment process should include participation by key stakeholders for strategy development and policy setting. Boards of directors and cross-functional working groups can provide information that may reveal otherwise overlooked perils.
Many organizations use risk-based decision making, but often lack a process to vet and prioritize emerging risks. A constructive challenge process can help decision-makers take a broader perspective and look beyond day-to-day operational risks. A robust process will ask these questions:
- Is this risk relevant to the enterprise?
- What are the potential financial and operational impacts on the organization?
- What are the right metrics to assess the risk?
- When should an organization worry about the risk?
- Should the organization prevent or mitigate the risk?
- Are we properly aligned as an organization to spot potential new risks?
These questions from the challenge process can help quantify the risk, determine whether the risk can be retained or transferred, and demonstrate the overall value of your risk management strategy.
Monitor Your Supply Chain Closely
Ensure you fully understand your supply chain, so you aren't caught off guard by global events. Monitor the emerging risk in all the geographies where your supply chain operates.
The pandemic demonstrated that public health crises can ripple through the supply chain and have significant impacts on how businesses in certain industries perform. Risk managers can use sophisticated tools, such as supply chain modeling, to pinpoint weaknesses and opportunities to build redundancies.
With supply chain modeling, organizations can dig deeper into granular data to see what particular aspects of its supply chain are most at risk.
Emerging threats to supply chains can be difficult to mitigate because companies have spent millions, if not billions, to build the infrastructure around those sourcing strategies. Prevention is the best way to face a threat, but mitigation can be more cost-effective. Often, organizations choose to mitigate rather than prevent emerging risks to the supply chain as they slowly adjust their production processes through capital expenditure over time.
Embed Risk Thinking Throughout Your Organization
Risk assessment needs to be ongoing – not just a once a year process – if you want to spot emerging risks quickly enough to respond.
When aligned to organizational objectives and built with consensus among key stakeholders, risk management programs help protect the operational and financial wellbeing of the organization -- and can even lead to strategic and competitive advantages.
Close integration with risk management depends on an organization's culture. A risk manager should facilitate this integration by identifying key metrics and providing training relevant to the organization. For example, if an organization faces a threat to its cybersecurity, employees must know how to recognize a cyberattack and report it to the appropriate personnel. Metrics and training depend on the culture of the organization, and the risk manager should be able to navigate and experiment with ways to encourage more thinking about potential threats. With any large organization, it can be helpful for one executive to have ownership over identifying and preparing for emerging risks.
These steps can help risk managers and their teams uncover and mitigate emerging risks for their organizations. It takes time and effort to develop a better assessment process, focusing on threats that can potentially restrict the supply chain and a commitment to embed risk management into an organization's culture. Those that put in the work can face an uncertain future with more peace of mind.
1. Aon Risk Maturity Index Insight Report, October 2017