Many enterprises are facing a growing number of high-impact events and emerging risks that affect business as usual. Risk to organisation structures, skill needs, assets and reputation are all impacted. This is a real opportunity to take a fresh look and improve the efficiency of the risk process. COVID-19 provides a strong argument for Enterprise Risk Management.
Has COVID19 changed our approach to risk assessments and management frameworks? Ross Hooley, Director at Lighthouse GRC is a respected Industry professional with an ability to demystify jargon and bring about pragmatic thinking to maximise added value.
As we have seen with COVID 19, crises can emerge with unprecedented speed. The risks they pose are potentially repetitive. The first wave of Covid-19 is now an Issue, but there is still a Risk of a second wave we ought to plan for in Australia. As risk professionals, we address risks with effective strategic planning, and an ability to anticipate, mobilize and rapidly respond to crises with confidence.
Many enterprises are facing a growing number of high-impact events and emerging risks that affect business as usual: risk to organisation structures, skill needs, essential assets and reputation. These all impact on business objectives, resilience and agility.
Enterprise Risk Management and Business Resilience Management
Traditionally, risk frameworks revolve around a risk register, evaluation matrix and appropriate stakeholder workshops to develop and manage identified risk. Each entity has its own way of doing this to keep within risk tolerance and appetite, governed by owners and Boards. Robust controls and actions are assigned to improve or develop better controls. This is critical. Under COVID-19, these tenets don’t change. The usefulness of the enterprise risk framework mechanics doesn’t change either. However, they must be fit for purpose and provide a solid basis for leading enterprise decision making.
Technology and social behaviours have evolved over recent years and by necessity, been widely adopted with Covid-19:
- The speed and capability of internet connections that enable video conferencing and group interaction;
- Sharing of large documents for collaboration;
- Acceptance of Working-From-Home [WFH].
This is a real opportunity to take a fresh look and improve the efficiency of the risk process in capturing and evaluating risks. Noting social and professional commentary on this, WFH will be a lasting change for screen-based workers into the future. There is a cautionary note however on the cost / benefit to society and business entities, but that is an emerging risk that will move from strategic to operation over time, I suspect.
On Lessons Learned
There are many lessons to be learned[1] from COVID-19, we have to ensure they don’t go to waste, considering their immense cost from both a social and financial perspective.
Effective risk management assists decision making against defined business objectives. This is where the greatest value proposition lies. A competent risk register needs to identify emerging risks along with the business environment risk typical of industry sectors in which they operate. So where would an epidemic or pandemic fit into this emerging risk and the ERM governance?
I was involved with pandemic plans for NSW Government pandemic plan submissions to COAG (Coalition of Australian Governments) during the 2006 epidemic H5N1 [Bird Flu] planning phase. There were existing plans for epidemics. These were considered, focused and used to develop the then current pandemic risk plans. Fortunately, Australia didn’t need to deploy the plans then, but they were scenario tested by allied NSW Government agencies, NSW Health being the lead agency, naturally. This was good governance.
It has been interesting to witness the basis of those earlier risk resilience plans evolving as controls to our current pandemic issue – the risk has been realised!
Professional Risk Managers – take a lead on business resilience
Over many years, I have developed business continuity/ resilience plans for private and public organisations. My disappointment comes from the lack of Business Resilience Management maturity (and existence) in the bulk of small to medium enterprises. This is where we need to take the, still evolving, lessons learned and integrate them into well reviewed Business Resilience Plans [BRP’s] that are informed by a competent risk register.
This is an area where professional risk managers ought to take a lead, in my view:
We had decades of institutional warnings of the probability of a global pandemic and we also had numerous opportunities to run simulation exercises.
As reported by the Australian Broadcasting Corporation recently[2]:
Australia ran its last national pandemic drill the year the iPhone was launched: Australia has not run a large-scale pandemic simulation exercise since 2008.
Australia was a world leader in planning for a pandemic in the 2000s, but events like the Global Financial Crisis, and Australian political chaos distracted successive governments. The experts say failure to continue pandemic practice exercises may have contributed to confusion in the early days of Australia’s response to COVID-19, including contradictory public messaging from national and local leaders, and delays in launching communication tools.
The Enterprise Risk Register is the source of potential threats and opportunities. They inform the Business Resilience Plan and early development of an agile response. When clear processes already exist and have been refined through simulation exercises, an agile and effective response is much more likely.
This is just good governance and good risk management after all. As professionals, we should take the lead and add practical value to the business.
Figure 1: Business Resilience Plan and the importance of ERM
This article was written by Ross Hooley, Director at Lighthouse GRC and published in partnership with CURA Risk Management Software.
CURA Risk Management Software is a leading provider of Governance, Risk, Compliance and Risk-based Audit software solutions, implemented across more than 250 enterprise customers globally. These solutions offer a clear picture of risk across the organisation which leads to better decision-making and risk management. CURA enhances visibility into business activities and allows for information to be easily consumed and actioned, enabling better business performance and managing the uncertainty of risk.
————————————————————————————————————————————————————
[1] Note: The author has used Cura ERP to integrate Lessons Learned as actions liked to specific risks in a number of organisations
[2] ABC Investigations / Dylan Welch and Alexandra Blucher 20 Apr 2020