As a result of COVID-19, organisations are experiencing unprecedented levels of change. Most are adapting their business models and strategies. With change comes uncertainty, which can lead to new threats. Chief Risk Officers (CROs) and the heads of risk and leadership teams are familiar with managing the largest risks to achieve the organisation's strategic goals. Current circumstances, though, are something entirely new. Previous assumptions may no longer be valid. Applying a risk management lens can help eliminate or minimise the impact of COVID-19 on your business' strategy and help you prepare for the new normal.
In response to COVID-19, most businesses have already recognised the need to identify and manage the risks and activities that are critical to ensuring their survival. Many have significantly adjusted major business processes and adapted their ways of working over the last few months. For some organisations, these may be permanent changes.
At this time, it is important that organisations don't just focus on crisis management. They must be able to proactively identify and manage new risks and opportunities while recognising how existing ones may have changed. Shifting to a focus on the long-term success of the organisation is vital.
Businesses should assess the long-term impacts of the COVID-19 crisis on their resilience, as well as on their approach to risk management. There may be a lasting impact on the risk culture of organisations. This could lead to changes in the way they approach risk, including identification, assessment, monitoring and reporting of risks. Applying a risk lens as this situation progresses is important.
This is a perfect opportunity to engage with the three lines of defence to deliver critical insights, risk assessments and credible challenges to support effective risk management. Risk executives need to help manage the threat from COVID-19, while having a seat at the table with other members of the leadership team. They must ask the right questions today to support a recovery later, as well as preparing for the next major risk event.
In response to COVID-19, risk appetite might have changed. Risks previously accepted might now be looked at from a different point of view. Organisations should review their risk appetite to ensure they remain within defined levels of acceptable risk thresholds. They should monitor whether breaches have occurred or are likely to occur in the future. Organisations need to re-evaluate their 'red lines' and be aware of the potential impacts on stakeholders, including their employees, investors, customers and suppliers. A review of the firm's risk appetite in light of changes to the business model and strategy is crucial to develop a strategic response, prepare for the period ahead and to emerge stronger after COVID-19.
COVID-19 has been a major event triggering a reassessment of business risk. Risks previously identified may not be front of mind when in crisis management mode. However, they are not diminished by the pandemic. In light of COVID-19, organisations should challenge assumptions made previously. Review the existing risk profile and ensure the likelihood and impact of risks reflects the current position following the impact of the recent pandemic and the changing risk landscape. Identify the less obvious risks by looking beyond the immediate challenges and consider the potential knock-on effects.
In these uncertain times, organisations will want to ensure that shortcuts are not being taken, no opportunity for override of controls exists and rigor in procedures is still present. The design and operating effectiveness of controls should be reviewed to ensure they are fit for purpose in effectively mitigating risks. Where required, controls should be modified, replaced and new controls implemented to respond to current circumstances. Ensuring that internal controls are still functioning effectively should be a continual focus in today's uncertain environment.
Organisations can benefit from revisiting their scenarios and reassessing potential outcomes in line with current developments. To be able to assess the full extent of the crisis, this should be performed by a multidisciplinary team bringing together risk experts, business leaders and IT specialists. Scenario analysis should be based on the flexing of existing risks and controls, analysing the impact of the scenario on the sensitivity of changes to the existing infrastructure, such as linking operational risk to operational resilience. Outcomes should be considered and communicated to the dedicated recovery team.
Organisations should determine if reporting is frequent enough to support timely responses to changes in risks. Key risk indicators (KRI) and key control indicators (KCI) should be reviewed in light of the above assessments to ensure they are providing relevant and timely information. Robust action plans and tracking mechanisms should be put in place and linked to decision-making and integrated with the overall strategy. Technology tools and analytics should be leveraged to increase the speed and accuracy of data collection and analysis to enable meaningful monitoring and reporting activities.
As events continue to unfold, we know that the challenges you face are mounting. There's no doubt that the weeks and months ahead are going to be challenging and the priority now is ensuring your business can manage and mitigate the risks that are emerging. We are ready to help you as you face the future. Contact us today.