Boards today are grappling with the current, and future, impact of Covid-19 on employees, markets, customers, supply chains, revenues and the global economy. The suddenness with which Covid-19 spread and the required transformation to virtual work was unprecedented. But there are longer term implications to the economy, workforce engagement and how corporations will do business in this new reality. Globally, the pandemic has aggravated conditions of socio-economic uncertainty, inflaming growing social unrest. As the number of cases continues to rise in the United States and South America, and Asia is experiencing a resurgence, the consensus is that we will be dealing with the cascading effects of this pandemic into the foreseeable future, perhaps even beyond the release of a reliable, and well distributed, vaccine. This transformative time in our history demands innovative and forward-looking leadership.
Many directors are asking why their boards and management were caught off guard by the virus itself and the speed with which it impacted their business and the economy. Although many have been using terms like “novel,” “impossible to predict,” “without warning” and “unknown risk” since this crisis emerged, for years many experts from the World Economic Forum1 to the US Homeland Security Council2 warned of the threat of global pandemic. We can call them “Cassandras”; just like Cassandra, the mystic seer in Greek mythology whose predictions for the future were ignored, unfortunately these warnings also went unheeded.
Directors are looking to learn from those who have successfully navigated the challenges so that they might be more knowledgeable, and better prepared, to handle unexpected risk events in the future. The bottom line is we were caught off guard due to an underinvestment in risk monitoring and governance infrastructure. The ability for corporations to effectively monitor emerging risks, “hear” critical warnings, and act proactively to mitigate those risks has become a critical differentiator for businesses. In this article, we are recommending a way forward through the creation of Risk Committees within the Board and Risk Operation Centers within the organization.
The Importance of Risk Management
What has become clear is that the degree to which an organization and their third parties have responded to this crisis has become a competitive differentiator prompted Bloomberg to recently declare “risk management is suddenly a hot job.”3 Risk management becomes a competitive differentiator because companies that respond well to catastrophic risk events are able to avoid costs, preserve or even enhance revenue, and are more resilient in their recovery than their competitors. In the post-Covid world, organizations that are able to demonstrate a strong risk management program will have a distinct competitive advantage.
For too long, disruption risk monitoring has been focused on cyber and financial. As Covid has demonstrated, significant disruption risks go way beyond cyber and financial events. What’s needed is a new risk mindset. Consider that the next global crisis might not be a pandemic. It could be a nuclear accident, a large-scale terrorist attack, acceleration of global warming or another world war. Today, a strong risk management program must continuously monitor a broad spectrum of risks.
The new risk mindset requires us to rethink current risk models, as well. With our increasingly interconnected global economy, we need to stop thinking of global disruption risks as low probability. Risk cost benefit analysis today is based on old, and no longer relevant, models as leaders have operated under the assumption that high risk events have low frequency of occurrence. Take for instance what we refer to as 100-year flood events that are now occurring every couple of years or global disease outbreaks being considered high risk, but low probability of occurrence. This thinking is not supported by the current reality. Just since the early 2000’s, we have experienced SARS, H1N1, MERS and now Covid-19.
Corporations that move forward from this crisis thinking that the probability is low that we will find ourselves in a similar global disruption situation in the near future, and don’t make the necessary investments in risk monitoring and governance, are making a critical mistake. In the future, we believe supply-chain risk management and resilience will be a score that everyone will reference to evaluate the strength of an enterprise. Just as in the past as we looked to financial health, in the future, we will look at supply-chain health and resilience.
The Role of Risk Committees
Corporations that establish board Risk Committees can effectively monitor and address a broad spectrum of emerging risks. Dodd Frank regulations require financial institutions in the United State to establish Risk Committees separate from the Audit Committee. Today, there are approximately 20% of public corporation boards that have separate Risk Committees. Increasingly, industries beyond financial services are starting to add Risk Committees that cover everything from operational risk to compliance to technology to pandemic to business continuity to cybersecurity risks, and more.
Because of the growth of emerging risks that are technology based, such as the Internet of Things (IoT), 5G and Artificial Intelligence (AI), as well as risks like the impact of climate change and pandemics, special expertise and focus is needed. Traditionally, the Audit Committee has had responsibility for risk. But often Audit Committee members do not have the needed operational expertise or the bandwidth needed to understand the growing range of risks. Alternatively, Risk Committee members are generally supported by senior staff with specialized expertise in the risk area. A separate Risk Committee enables more time for information sharing and detailed risk discussions that educate the Risk Committee members and enable more focused and effective discussions at the full board meetings. While risk ultimately is the responsibility of the full board, the velocity of change, the breadth of emerging risks, and the increased intensity of possible business disruptions, make it ineffective to have full board discussions without the prep work handled by the Risk Committee.
Risk Operations Center
The new risk paradigm requires a whole new mindset that focuses on continuous monitoring across a broad range of risks that captures real-time risk intelligence to enable a faster, more effective risk mitigation response. Leading edge organizations will establish an ongoing Risk Operations Center (ROC) to enable staying ahead of emerging risks and proactive actions to effectively mitigate those risks. The ROC should be ongoing and proactive in its approach to risk and not established as a reaction to a current crisis. However, the ROC can be staffed up or down as the risk environment requires, continuously monitoring, planning, and ready to proactively react to risk changes or risk events.
The ROC is comprised of the following components:
• Risk Intelligence Monitoring Post to continuously collect real-time risk data and intelligence
• Workflow Tool to route relevant information to the right people
• Response Center to assess the intelligence for relevance and trigger internal and external actions)
• Feedback loop to determine what worked and what didn’t
• Cross-discipline expertise to provide diversity of perspectives on emerging risks
The ROC will enable the continuous monitoring and proactive business disruption risk identification, management and mitigation response that will elevate risk management to the competitive differentiator corporations need to navigate this crisis and thrive in a post-Covid world.
Staffing a ROC can be covered through a combination of technology, tools, analytics, and people. Data collected needs to be evaluated and analyzed for relevancy and impact to produce risk intelligence that can be used for trending and forecasting. The response center team will need to work in collaboration with other business functions drawing upon their risk mitigation knowledge. They will look beyond the individual risk event to make connections to other possible related or cascading risks in a truly proactive fashion.
Covid has highlighted the failings of underinvesting in risk and the need for a new risk mindset for corporate leadership. The way forward is through the creation of a board Risk Committee to focus on emerging risks at the top as well as the establishment of a Risk Operations Center to focus on continuous risk monitoring and proactive risk response within the organization. The right risk investments will enable corporations to hear the Cassandras. With a clear, real-time view of your emerging disruption risks and the governance structures to monitor and proactively act on them, your corporation will reduce exposure, improve resilience and reap the financial benefits of an effective risk management program.
- Outbreak Readiness and Business Impact, World Economic Forum, January 2019
- National Strategy for Pandemic Influenza Implementation Plan, Homeland Security Council, May 2006
- Risk Manager is Suddenly a Hot Job, Bloomberg, April 14, 2020.