As we prepare to enter the third year of the pandemic, it’s time to reflect on what we have learned. The World Economic Forum’s recent Global Risks Report 2022 (download required) conveyed just how pervasive the pandemic’s impact has been over the past two years on global risks. According to the WEF, the five non-climate related risks that have deteriorated the most during the crisis globally were:
• Social cohesion.
• Livelihood crises.
• Mental health.
• Debt crises.
• Cybersecurity failures.
The chaotic nature of the pandemic has also challenged senior business leaders’ ability to make forward-looking decisions. Right when we think we have our arms around the risk environment, something new comes along. Organizations depend on input and insights from their audit, risk and compliance leadership so executive management can make informed decisions that fit within their risk appetite. With new Covid-19 variants, border closures, supply chain disruptions, the Great Resignation and many other pandemic-related emerging risks, organizations have been repeatedly schooled on risk management.
Lesson 1: Adopt new risk metrics.
One of the first lessons learned was about the metrics management uses to assess risks. Traditionally, the main exercise included rating a risk’s impact (how bad will it be) and likelihood (how probable it is to happen). The pandemic has forced business leaders to consider other variables in their assessments—such as velocity and volatility—to understand additional risk dimensions. The picture becomes clearer when we can answer these four questions:
• How big of an impact will the risk have on my organization’s ability to achieve its objectives? This assesses impact.
• How likely is it that the risk will occur within my organization and impair the achievement of objectives? This considers likelihood.
• How quickly would the risk spread across my organization if we were impacted? This helps you determine a risk’s velocity.
• How long will this risk persist before losing priority to another emerging risk? This measures volatility.
While there is no one-size-fits-all risk assessment, incorporating at least these four metrics will provide deeper risk insights to management and produce better guidance.
Lesson 2: Expect reprioritization.
Organizations depend on risk managers as advisors to their leaders, especially when facing tough decisions. Good risk managers anticipate the next risk event that is likely to affect the organization, and they enlighten management so no one is caught off guard. Identifying emerging risk events is hard enough in regular times, but in a time of high volatility, a risk that seems like a high priority can just as easily be replaced days or weeks later. When risks are evolving as quickly as these are now, you cannot afford to rigidly adhere to past prioritizations. New risks will come up, and your focus will inevitably need to shift as priorities change.
Lesson 3: Increase assessment frequency.
In our current environment, one of the most important lessons organizations have learned is the need to be flexible and embrace change. Put another way, you should work with an agile mindset. For risk management to provide solid guidance, you will need to continuously assess risks in order to highlight new risks and changes to the risk landscape.
Some organizations complete risk assessments once each year, and some do so more frequently, but the pandemic has taught us that periodic risk assessments are not enough. Looking back at 2020 and 2021 provides all the evidence you need to support a higher frequency assessment, ideally even continuous risk assessment. As you increase the frequency, you can decide if current projects and initiatives are still relevant based on timely information.
Lesson 4: Remember that collaboration is key.
Risk isn’t siloed, and to be effective, your approach to risk shouldn’t be siloed either. Within most organizations, there are multiple groups that deal with risk and span enterprise risk management, internal audit, compliance, legal, IT security and others. To face the disparate risks associated with the pandemic, you need to gather different points of view. By cooperating and aligning the work performed by the different risk assurance functions, you will better position your organization to anticipate and mitigate new and emerging risks.
Did we learn?
Henry Ford is known to have once said, “The only real mistake is the one from which we learn nothing.” The pandemic has been, and continues to be, a learning experience for us all. Apply Ford’s advice. When managing risks, it is imperative that you learn from these experiences and quickly incorporate those lessons into your current processes so you are prepared for whatever comes next. We are all students in this unprecedented time.