How Chief Risk Officers Can Add Value in a Crisis

This post first appeared on Risk Management Magazine. Read the original article.

Risk management is proactive, peering around corners to identify uncertainties that may impact the organization’s ability to achieve its objectives.  Crisis management is reactive, marshaling resources to respond to a risk that has already manifested and requires immediate attention. Both require senior leadership engagement to be effective, but the roles and methods can be very different, and the chief risk officer (CRO) may be the best person to address both.

If CROs are typically focused on addressing how current exposures might impact future results, what is their role in the middle of a crisis, when a significant risk has already manifested? Many CROs have had to manage crises, but the current pandemic is pushing everyone into uncharted territory. The challenge (and opportunity) for CROs is to pursue actions that add value for their enterprises, both in the moment and for the long-term.

Immediate Crisis Management

Most organizations have established an all-hands-on-deck approach for their senior leadership teams to deal with the coronavirus outbreak, which is expected and appropriate. All aspects of organizational activity have been impacted, and all leaders have a role to play in dealing with the countless discrete challenges arising. But what should CRO’s focus be?

When leaders react in the moment there is often little time to assess the impact of decisions, and their actions to address the immediate crisis might create additional risks. Organizations do not have to wait for unintended consequences of well-intended decisions to manifest before addressing these kinds of collateral risks. CROs are skilled at anticipating these very kinds of outcomes. Having them intimately involved in these discussions provides a real-time forward-looking perspective on the known (or seemingly unknown) implications of these directives.

In some cases, the CRO’s insights might inform how the
decisions are carried out, to ensure that the initial objective is accomplished
in a manner that does not negatively impact some other part of the
organization. In other scenarios, management may continue down the original
path, but identify additional or alternative risk responses to decrease a vulnerability
that may otherwise be created. Moreover, management’s ability to articulate the
thoughtful, risk-informed process it followed in formulating its crisis response
could also pay significant dividends in the future. Identifying risks up-front
provides a record that may clarify real-time decisions to oversight or
regulatory bodies in subsequent audits or investigations.

CROs bring a different lens to crisis management, advising leadership on the risk-based implications of the rapid decisions that must be made. CROs can help anticipate unintended consequences, proactively plan for them, and maintain a record for the future—all without distracting from the immediate demands on management for timely action in the midst of a crisis.

Actions to Address Immediate Crises:

  • Demonstrate to
    senior leaders how a proactive risk-management lens can be an invaluable
    component to crisis response.
  • Commit to
    assessing enterprise-level crisis response decisions for collateral
    consequences across all risk types, including reputational risk.
  • Provide feedback
    to crisis response teams on potential risks their real-time decisions are creating,
    as well as potential mitigations that might limit these exposures.
  • Proactively
    engage risk officers throughout the organization to monitor for emerging risks
    resulting from crisis response decisions. Provide a simple, standard mechanism
    to report emerging risks, as soon as they are identified, to the crisis
    response team.
  • Lead the effort
    to document the crisis management team’s risk-based decisions, including the
    decisions themselves, a straightforward risk-based rationale, and the nature of
    any identified risks that are being accepted as a result. If feasible, place
    these decisions in the context of the organization’s risk appetite. A simple,
    standard form (stored in a central repository) can be used to enable easy
    access during future reviews by auditors, regulators, or inspectors general.
Longer-Term Crisis Management

CROs are also uniquely suited for dealing with a crisis such
as the current pandemic by anticipating the risks to their organizations when
the crisis ebbs and it is time to ramp up normal operations. The vast majority
of the leadership team is almost exclusively focused on dealing with the
current organizational stresses from a vantage point of a few days or weeks. But
someone should be anticipating the challenges that may confront these
enterprises when the “all clear” is given and the competitive pressures of the
business world—or mission requirements in the public sector—are suddenly
subject to circumstances they never previously encountered. 

Risks will likely manifest across the whole organization, including
operations, compliance, financial, human capital and even the very essence of
the enterprise. Strategies may need adjustments based on new market realities,
while internal operations and even organizational culture may require
modifications to maintain consistency with the organization’s mission, vision
and values. Each of these realities will introduce risks that were not evident
just a few weeks ago.

In many respects, operations will likely not be back to normal immediately. Organizations will encounter all manner of obstacles in their effort to return to normalcy. To avoid another kind of crisis when resuming operations, someone should be analyzing these risk areas, anticipating likely scenarios, and developing risk responses that can be deployed in a proactive rather than reactive way. The organization’s CRO is perfectly suited for this responsibility.

Actions to Address Longer-Term Crises:

  • Activate
    processes that are normally used for annual enterprise risk assessments, but focusing
    specifically on the risks associated with the return to normal business
    operations. As appropriate, differentiate between a partial return over an
    interim period and the final re-establishment of full business operations.
  • Engage senior
    leaders to determine if the pandemic has fundamentally changed the organization’s
    mission, vision and values, its enterprise-level strategic objectives, or its
    risk appetite. Align risk identification and analyses to any updates to these
    overarching concepts.
  • Provide guidance
    and standardized tools for risk officers to update the current enterprise risk
    profile, along with new entrants for consideration that are specific to the
    post-pandemic environment. Consider the full portfolio of risk types should be
    considered, including strategic, financial, operational, and compliance.  Particular consideration should be given to
    workforce-related risks given the massive disruption to the workforce as a
    result of the current crisis, as well as reputational risks that may otherwise
    be missed without proactive assessment.
  • Risk
    identification should include both top-down and bottom-up activities, with the
    CRO taking the lead to get input from senior leaders, while risk officers
    capture insights from across organizational business units. These efforts
    should be pre-planned and targeted to minimize disruption to current crisis
    response activities.
  • Aggregate the
    input received, create/update risk statements, assess the risks for likelihood
    and impact to assist prioritization, and prepare potential risk responses for
    leadership consideration.
  • As the nature of
    the pandemic evolves, this exercise should be ongoing and dynamic, perhaps
    including updates on a pre-defined cadence established by the CRO and senior
    leadership.
  • Update the
    enterprise risk profile based on the preceding activities and provide the
    results to the organization’s senior risk governance board.
  • Commit to working
    alongside business owners to provide advice on the effective implementation of
    risk responses as early as possible to reduce the likelihood of risk
    manifestation.

Leave a Reply

Your email address will not be published. Required fields are marked *