COVID-19 caught many organizations flat-footed, exposing vulnerabilities in their risk management strategies. In fact, 82% of businesses didn’t consider pandemics or health crises as a top 10 risk prior to COVID-19, and a third of organizations believed their existing Enterprise Risk Management program was sufficient to cope with the impact of a pandemic.
A year has changed much. Eight in 10 organizations agree that the key lesson to take away from the COVID-19 pandemic is the need for an enterprise-wide approach to risk to manage their total cost of risk.
The pandemic sent a strong message to organizations that they must focus on identifying and planning for potential emerging risks and eliminate gaps in their risk management strategies. That’s the primary task of a risk manager – a good enterprise risk management strategy is essential as we begin to build a new better.
The next significant threat to an enterprise could be, among other things, policy changes, geopolitical conflicts, volatile financial markets, natural disasters and industry disruptions. Further, flexibility should be considered in an organization’s enterprise risk program. Where it has traditionally been an annual strategy, consider a more frequent, perhaps quarterly, program that can more quickly pivot and assess changes to the risk profile.
By anticipating risks – and creating a sound foundation for addressing and mitigating them – organizations can become more operationally resilient to navigate potential impacts. It takes dedication to both the process and cultural change. Take these three steps to help your organization get ready for the unknown.
1. Adopt a Formal Risk Assessment Process – Before You Need It
Organizations that follow a formal process for managing risks are more resilient than those that take an ad hoc, reactive approach. Risk assessment comes in degrees of maturity. First, it takes a board-level understanding of, and commitment to, risk management, as well as consistent and routine risk reporting throughout the organization.
When you have board-level commitment and consistent, organization-wide reporting, it should be followed up with data and analytics. Risk managers should look for data on potential threats beyond industry groups. All the data should be run through a formal collection and review process with a governance structure that rolls up to decision-makers.
A comprehensive risk assessment process should include participation by key stakeholders for strategy development and policy setting. Boards of directors and cross-functional working groups can provide information that may reveal otherwise overlooked perils.
Many organizations use risk-based decision making, but often lack a process to vet and prioritize emerging risks. A constructive challenge process can help decision-makers take a broader perspective and look beyond day-to-day operational risks. A robust process will ask these questions:
- Is this risk relevant to the enterprise?
- What are the potential financial and operational impacts on the organization?
- What are the right metrics to assess the risk?
- When should an organization worry about the risk?
- Should the organization prevent or mitigate the risk?
- Are we properly aligned as an organization to spot potential new risks?
These questions from the challenge process can help quantify the risk, determine whether the risk can be retained or transferred, and demonstrate the overall value of your risk management strategy.
2. Monitor Your Supply Chain Closely
Ensure you fully understand your supply chain, so you aren't caught off guard by global events. Monitor the emerging risk in all the geographies where your supply chain operates.
The pandemic demonstrated that public health crises can ripple through the supply chain and have significant impacts on how businesses in certain industries perform. Risk managers can use sophisticated tools, such as supply chain modeling, to pinpoint weaknesses and opportunities to build redundancies.
With supply chain modeling, organizations can dig deeper into granular data to see what particular aspects of its supply chain are most at risk.
Emerging threats to supply chains can be difficult to mitigate because companies have spent millions, if not billions, to build the infrastructure around those sourcing strategies. Prevention is an effective way to address a threat, but mitigation can be more cost-effective. Often, organizations choose to mitigate rather than prevent emerging risks to the supply chain as they slowly adjust their production processes through capital expenditure over time.
3. Embed Risk Thinking Throughout Your Organization
Risk assessment needs to be ongoing – not just a once a year process – if you want to spot emerging risks quickly enough to respond.
When aligned to organizational objectives and built with consensus among key stakeholders, risk management programs help protect the operational and financial wellbeing of the organization – and can even lead to strategic and competitive advantages.
Close integration with risk management depends on an organization's culture. A risk manager should facilitate this integration by identifying key metrics and providing training relevant to the organization. For example, if an organization faces a threat to its cybersecurity, employees must know how to recognize a cyberattack and report it to the appropriate personnel.
Metrics and training depend on the culture of the organization, and the risk manager should be able to navigate and experiment with ways to encourage more thinking about potential threats. With any large organization, it can be helpful for one executive to have ownership over identifying and preparing for emerging risks.
These steps can help risk managers and their teams uncover and mitigate emerging risks for their organizations. It takes time and effort to develop a better assessment process, focusing on threats that can potentially restrict the supply chain and a commitment to embed risk management into an organization's culture. Those that put in the work can face an uncertain future with more peace of mind.