This post first appeared on Risk Management Magazine. Read the original article.
Before COVID-19, few organizations would have considered
prioritizing the remote risk of a pandemic over more common events. However, as
the past year has demonstrated, dismissing such scenarios entirely is no longer
a viable strategy.
The COVID-19 pandemic has been called a “low-probability,
high-impact risk” that no one could have predicted. This is simply untrue. In
fact, since the World Economic Forum (WEF) started releasing its Global
Risks Perception Survey in 2007, the risk of a pandemic and/or rise in
chronic or infectious diseases has often been featured in the top five risks in
terms of likelihood and/or impact. Even in the 2020 report, while the
possibility of a pandemic did not make the list of top risks, special mention
was made of the threat. It found that no country’s health care system was fully
prepared to handle an epidemic or pandemic, and that progress against pandemics
was also being undermined by vaccine hesitancy, which could pose serious risks
for organizations in future.
The risk of a pandemic also has ample precedent. In recent
years, the world has seen a number of “near misses” from the likes of bird flu,
swine flu, SARS and MERS. Such warnings were largely ignored, however, because
the spread of those viruses was ultimately contained, infection and death rates
were low, and they did not adversely impact major western markets like the
United States and Europe.
In the past 20 years alone, there have been at least three
major “once-in-a-lifetime” global shocks: the 9/11 attacks, the 2008 financial
crisis and now the pandemic. Each caused or will cause years of economic
disruption and required lengthy periods of recovery. The point is simple:
Low-probability, high-impact events occur more frequently than many people
realize or care to admit. Additionally, these events have a massive impact on
almost every aspect of the business. So what can risk professionals do to
better address these threats?
The Gaps in Business Continuity Planning
Typically, business continuity planning and resilience
testing are the two key defenses that organizations rely on to maintain
operational capability when disaster strikes. However, in many organizations,
such planning has usually revolved around issues that management could
reasonably expect to deal with at some point in the near future. COVID-19 was
not one of those.
“If you live in an area that suffers from earthquakes or
hurricanes, for example, then naturally your business continuity plans will
take such situations into account,” said Jim Zeches, senior GRC consultant at
cybersecurity risk management firm IT Governance USA. “What the COVID-19
pandemic has done is make many organizations firefight situations they believed
would never take place, and it’s obvious how little many have planned for such
eventualities.”
Modeling risk scenarios on historical data and averages has
also proved to be an unreliable way of preparing for catastrophic events.
According to Jim DeLoach, managing director at risk consulting firm Protiviti,
many organizations have been “hamstrung” by their over-reliance on analyzing
historical risk data to help prepare for future crises.
“During the 2008 financial crisis, even when it became
obvious to analysts and investors that the losses were so bad that some firms
would fail, banks and other financial services firms resolutely believed that
the mortgage market would survive because it had endured without incident for
125 years,” DeLoach said. “Instead of looking at the situation unfolding in
front of them—and reacting to it—a lot of firms didn’t move because they
thought that, since the market had never collapsed before, it was not possible
for it to do so now. But looking back doesn’t tell you what might be ahead.
So-called ‘once-in-a-lifetime’ events can happen. Organizations need to accept
that and make resilience a priority.”
Assessing Potential Risk Exposure
To get a better idea of how to prepare for low-probability,
high-impact risks, risk professionals can perform a number of useful exercises.
One of the most obvious, DeLoach said, is to conduct horizon-scanning exercises
to see what could happen in the future. They will then need to assess the
impact of such risks, which includes conducting a review of where there might
be any operational weak links.
“Any signs that the business is overly dependent on a couple
of individuals or organizations for any aspect of its operations should be
flagged as a potential risk for management to consider,” he said. “For example,
is there a single point of failure anywhere in the organization? Is the business
heavily reliant on a key individual or a particular supplier or customer? Would
the business survive if a key market was cut off? Does one product or service
account for over half of the company’s revenues? Asking these kinds of
questions should highlight areas that need further review and management
action.”
Risk professionals should avoid being too specific about the
type of event they plan to respond to and prepare for. “You don’t need to
second-guess what the event will be that will trigger the impacts that you
think will be the most severe to the business,” DeLoach said. “The board is not
going to listen to you if you try to plan for specific but remote, niche
scenarios, such as the possibility of asteroids hitting the earth. Boards want
assurance—not guesswork.”
Instead, he said, “It is more useful for risk management to
focus on how the business could be affected by a high-impact event and where
the most vulnerable areas of the organization are, rather than guess what the
event might be—such as supply chain disruption, loss of customer base,
operational shutdown, and so on—and work out what resources, processes, plans
and level of resilience capability the organization will need to cope with a
major disruptive event. Risk managers then need to build a business case about
what steps the organization should take to improve its resilience and agility.”
To determine their level of risk exposure, organizations
need to understand what their critical assets are and calculate how much money
the company would lose if those operational areas suffered any amount of
downtime. Once they have established the scale of any losses, risk
professionals then need to work out how to make these areas or processes more
resilient. “Companies need to know how they can keep operating if disaster
strikes,” said Andrew Beckett, managing director for cyberrisk at risk
consultancy Kroll. “They need to identify the key areas that must be protected
or that can be replicated elsewhere, if necessary, to ensure business
continuity.”
For example, he said, “If a manufacturer produces different
parts in several locations, which plants could continue production if one or
more of its factories were forced to shut down for days, weeks or months? Which
factories could fill the gap in the meantime? How would components be shipped
and assembled if parts of the supply chain collapsed? Similarly, if a data
center is forced to close, can an organization switch to another one quickly
and seamlessly? Will customers be affected? Are there contractual or regulatory
obligations that might be affected and, if so, what could the costs be to the
business?”
Camilla Winlo, director of consultancy at data risk
management firm DQM GRC, believes that the key to future resilience is to
question whether existing resources can be deployed more effectively. “No
business can treat every risk facing them, and risk management is often about
making difficult decisions on which risks the business must simply accept and
live with,” she said. “Low-probability, high-impact scenarios often fall into
this category—but while you can hope that they never crystallize, if they do,
it will be an emergency. This can lead to businesses doing less than they
should when considering them.”
Because it is impractical to implement a strategy targeted
specifically at a single low-probability, high-impact scenario, Winlo said
organizations should instead consider defending against risks that have similar
effects. This means looking at the organization’s critical success factors and
processes and considering how management can respond if the business gets
disrupted.
“You do not need to imagine a pandemic specifically to
consider whether your business model is overly dependent on sales through a
particular channel and to think about how you might diversify,” she said. “By
considering the disruption caused by risks rather than the high-impact events
themselves, risk managers increase the likelihood for leadership engagement.”
It is also helpful to consider what the organization would
need to be able to respond with greater agility. “Key questions to ask include:
Would your key people be up to that kind of challenge? Does the organization
have the right communications channels in place? Where would your funds and
resources come from to manage the crisis? What bottlenecks would emerge? What
factors would play in your favor?” she said.
In addition, companies should look for the “upside” of such
risks and consider how they might position the business to succeed when gradual
changes become steep and sudden. These kinds of conversations “should sit much
more comfortably alongside the kinds of strategic planning discussions
management teams enjoy,” Winlo said.
Gaining Management Support
Getting management buy-in is crucial to reviewing—and
potentially revising—any crisis management response to a high-impact event.
When presenting to the board, risk professionals need to explicitly tell
directors why they should care: Failure to act will cost money, damage the
company’s reputation and affect market share. “They need to put the ‘so what’
right under the nose of the board if management is to take risk managers
seriously,” said Debbie Bowen-Heaton, partner at management consultancy Oliver
Wight.
Risk professionals can take a number of practical steps to
get the attention of senior management and the board. First, risk management
should put in place a “risk radar” that assesses the probability and impact of
risk, Bowen-Heaton said. This should then be reviewed regularly by management
as part of their leadership team meetings with the objective of proactively
building contingency plans for high-impact risks. From there, risk management
should implement a process to communicate executive decisions and responses to
the rest of the business. Finally, risk professionals should continuously
monitor the actual impact of risks as they materialize, as well as the
deployment of risk management plans, so that the business responds swiftly and
effectively.
Other experts agree that explicitly spelling out what the
costs of a low-probability, high-impact event (or a series of them coming
together, as has happened with COVID-19) is key to gaining the board’s
attention. But it is also essential that risk professionals produce figures
that executives can understand, rather than relying on vague terms, such as
“reputation damage.”
“Telling the board that the company could be hit by reputational
damage and legal and regulatory penalties doesn’t mean a lot unless you can
provide some sort of rough figures,” said Alex Toews, risk solutions manager at
software vendor Fusion Risk Management. “If you want to prove your case, think
in dollar terms and cite known examples.”
To get executives on board, Toews suggested a two-pronged
approach: Risk professionals should have the necessary data or evidence at hand
to show the scale, costs and damage of the potential disruption, and they
should try to align with other assurance functions like internal audit,
compliance, legal and IT to speak with a “unified voice” to convey the
strongest possible message and effectively lobby for management action to
improve resilience and responsiveness.
“Risk managers often make the error of presenting a load of
risks without quantifying the data behind them,” Toews said. “Explain what the
data is and what it means to the business in cost terms. Tell management how
the risk information provides credence that there could be a serious problem if
steps are not taken now to prepare for it. Show them where the vulnerabilities
are, what the short- and long-term damage and disruption to the business could
be, what the financial impact could be in dollar terms, and how these
weaknesses can be mitigated.”
Toews added that it is important for assurance functions to
work more closely together and to deliver recommendations based on a singular,
unified view. He also recommended that these functions collaborate to provide
more integrated assurance. This will help promote a more informed risk culture
within the organization where everyone understands what risk management means and
what part they can play in implementing changes to make the business more
resilient. “If risk management joins forces with other assurance functions to
deliver the same message, it has a much better chance of being listened to,” he
said.
Risk professionals should also look at quantifying
qualitative data. For instance, Toews said, can the company be forced to pay
contractors under a clawback clause if a power outage, flood or forced closure
prevents it from completing an order? What would the financial costs to the
business be if the company was forced to outsource operations to another
provider to fulfill contractual obligations? Could the company be hit with
multimillion-dollar fines if customer data is hacked as part of a cyberattack?
What percentage of customers would likely use a competitor’s services if the
company fails to deliver, and how many would choose to stay away long-term?
Have any of these scenarios happened to other companies? If so, how badly were
they impacted? What were the costs? How did they bounce back? “Showing
management and executives that you have thought through the implications of
these kinds of scenarios will help get them on board,” he said.
More Than “Once-in-a-Lifetime”
“There is no doubt that risk managers need to reevaluate
their assessment of catastrophic—yet palpable—risks,” Toews said. “Scenarios
that previously would have seemed outlandish are taking place more frequently
than organizations are giving them credit for.”
Risk professionals can no longer afford to dismiss these
threats as sheer fantasy or ignore their impacts and their ability to affect
other high-priority organizational risks. By adopting a broader perspective on
risk assessment and opening up the discussion with executives, risk
professionals can improve organizational resilience and risk preparedness, no
matter the scenario.