Post-COVID-19 Enterprise Risk Management

The COVID-19 crisis has clearly demonstrated that the traditional approach to Enterprise Risk Management (ERM) needs to be re-assessed. ERM should evolve to be more dynamic and agile to better manage risks from an enterprise wide perspective as our economic system and way of life strives to adapt to the new realities caused by the global pandemic.

Traditional ERM frameworks suffer from shortfalls and many organisations struggled to respond to the multidimensional risks unleashed by COVID-19. Typical risk identification and assessment focuses on an annual time horizon and conventional ERM reporting often provides little insight or tangible business value. ERM tends to assess risk individually and in the traditional two dimensions of likelihood and severity of impact.

COVID-19 has also shown that we need to recognise, model and consider cumulative effects of interconnected risks or events which have a far greater consequence in aggregate. The traditional approach also ignores critical factors of velocity with which each risk or connected risks may impact cumulatively. Going forward, the four dimensions of risk should be considered – likelihood, impact, velocity and connectivity – to assess the contagion effect.

Post-COVID-19 ERM needs to embrace more sophisticated approaches to stress and scenario testing, the role of chief risk officer (CRO) and a centralised risk function. The CRO is becoming more prevalent in business. Their role in managing risk appetites, developing a risk framework and policies, and acting as adviser to the board and senior management is indispensable. The importance of a centralised and coordinated strategy in response to a risk event cannot be overemphasised.

This global pandemic has exposed risks such as health and safety, supply chain dependency, business continuity, technology infrastructure and cyber threats. The current approach to managing these risks is no longer sufficient. The thinking must shift to more dynamic analysis and agile models. Risk executives should increase collaboration across functions, leverage new technologies/tools and have a voice at the table with other senior management.

In addition to the serious health and safety impact, challenges with supply chains have been most acute during COVID-19. Large organisations have complex operations with extended supply chains where their suppliers rely on third, fourth or fifth parties. Many had difficulties identifying providers in the outer tier of their supply ecosystem and had little visibility or insight into how these providers were faring through the pandemic. Consequently, many organisations could only execute fragmented and reactive risk responses to supply chain disruptions as and when they unfolded.

It is now the time for organisations to review current risk appetite frameworks with boards and senior management. Internal audit and second-line risk function testing plans should be re-evaluated to include scenario and stress testing. Crisis management and business continuity plans should be revised to adequately cover pandemic risk elements. Risk interconnectivity analysis should also be undertaken to fully understand the contagion effect.

Traditional ERM tends to focus more on “bottom-up” assessment and less on “top-down” approach. ERM programs need to shift from being process and compliance driven to increase focus on people and technology. People at all levels of the organisation drive risk through their everyday decisions and actions. Cognitive risk-sensing tools and predictive risk intelligence can provide more timely insight to rapidly evolving risks. This intelligence can be swiftly analysed to provide greater risk awareness and help identify mitigation strategies.

Ultimately, risk culture is about people, influencing behaviour and addressing risk at the source every day. This starts from the top, with strong leadership and board engagement, but then must permeate down beyond risk champions to first line leaders. A strong risk culture is the apparatus that will move organisations from passive, point in time risk management to an active, integrated and agile model.