The haphazard response to COVID-19 demonstrates the value of enterprise risk management
Just 12% of more than 1,500 respondents believe their businesses are highly prepared for the impact of coronavirus, while 26% believe that the virus will have little or no impact on their business, according to a survey by Gartner.
“This lack of confidence shows that many organizations approach risk management in an outdated and ineffective manner,” said Matt Shinkman, vice president in the Gartner Risk and Audit practice. “The best-prepared organizations can expect to enjoy many business advantages over their less-prepared peers as they minimize the disruption caused by the coronavirus.”
Most respondents (56%) rate themselves somewhat prepared, and 11% said they were either relatively or very unprepared. Just 2% of respondents believe their business can continue as normal, highlighting the huge range of businesses that could be affected by the outbreak.
Twenty-four percent of respondents expect little disruption, while the majority expect business to continue at a reduced pace (57%), to be severely restricted (16%) or to be discontinued altogether (1%).
Hoping it will all just go away
The challenge lies partly in the ambiguity inherent to managing an emerging risk such as coronavirus. Organizations often have policies in place to deal with most risks, but they don’t activate them until it’s too late because no one is owning the risk or taking it seriously until it is fully manifested. The threshold for a risk to generate executive action is often too high to enable an effective response.
“Board members tend to deal with emerging risks by just assuming they will go away and instead focus their attention on what is most important today,” said Mr. Shinkman. “In good times this methodology is reinforced because sometimes emerging risks really do just go away. It’s when they don’t that problems inevitably emerge.”
Having an enterprise risk management (ERM) function in place means that an organization is more likely to see risks coming and then mitigate the impact of those emerging risks more swiftly and effectively. Gartner’s view is that a focus on impacts rather than specific scenarios is best practice for ERM.
“It’s nearly impossible to predict exactly if or how a particular scenario will unfold or even when,” said Mr. Shinkman. “That’s what creates the ambiguity and often inaction around emerging risks. It’s much more effective to focus on potential impacts and how to mitigate them.”
Mitigating the effect of specific impacts on an organization
Pandemic provides a perfect example of how this approach works – companies that wait until the emerging risk is already impacting operations and/or many employees will likely find themselves playing catch up and losing ground to companies that were better prepared.
Companies can get better prepared by considering what interim events could occur that would suggest that a pandemic, or similar emerging risk, is about to sharply increase in terms of its impact or likelihood.
By using an ERM approach to identify and prepare for those specific events – and setting up mechanisms to monitor for them – the best companies are better positioned to avoid major disruption.
For those dealing with a crisis response to the coronavirus in their organization, they should have planned responses to specific impacts. For example, what will the company do if one employee gets sick? Ask all employees to self-isolate? Are work-from-home procedures sufficiently mature to support that or will work have to stop? Do suppliers or clients need to be notified? Is finance able to support operations in the event of anticipated losses?
Using an impacts-based method makes it very clear when to trigger a response plan and to start mitigating the effect of specific impacts on an organization. Also having response plans that react to specific impacts means it is simpler to communicate the plan to staff, so that all employees can play a part in managing risk. In fast-moving situations such as this, the more people who are owning risk, the more likely it is that an organizational response will be timely.
“Avoid constructing elaborate ‘what if?’ scenarios and focus on what is known,” said Mr. Shinkman. “Many organizations likely already have plans in place to deal with the types of disruption they are facing because of the coronavirus. The job of risk management is to ensure the right plans exists and make sure they get used at the appropriate moment.”