COVID-19: Agile risk management on the road to recovery

19 May 2020

Even though the Coronavirus (COVID-19) outbreak continues to evolve and pose immediate challenges for organisations, business leaders and risk managers will be looking ahead. They will be horizon scanning for opportunities and the emerging risks associated with the next phase – the successful recovery of their business in the coming months. Effective risk management has a crucial role to play as you rethink your business activities and establish new ways of operating.

Dynamic risk registers

In normal operating environments, risk registers are traditionally seen as helpful tools to identify, evaluate and prioritise key risks. However, during unusual times, such as the current period created by COVID-19, traditional tools need to be adapted and regularly updated in order to stay relevant.

A practical approach is to create a ‘working risk register’ to manage current risks in the reactive phase, as well as a ‘recovery risk register’ to identify emerging risks during the period of returning to pre-crisis activities. This can be a useful way to keep one eye on the future while also identifying, prioritising and mitigating emerging risks before they crystallise.  

These registers should form part of the operational daily risk management process for all leadership teams. They should help build resilience into your business, reflecting the differing appetites for risk as you move through the crisis and recovery states, without losing focus on either one. This approach will help drive an organisation through the different phases, supporting clear and well informed decision-making.

Risk post-COVID-19

One challenge that organisations face as they prepare for life after COVID-19 is to rethink their business, strategically and operationally, in responding to the changes which have arisen. Many aspects of their operations may have shifted permanently.  Outlined below are some of the key areas in which to consider risk going forward:

  • Business models

Many organisations will need to rethink their business models to ensure they are aligned with changes in the wider political, business, economic and social environments.

  • Financial management

All entities will need accurate information to support cash flow forecasting models, while underlying assumptions should be challenged regularly as new information emerges.

  • Re-starting the supply chain

Contract management functions must coordinate with supply chain managers to understand issues and vulnerabilities across the value chain. Disputes may have increased, so it is important to be clear on the contractual position while seeking to collaborate and negotiate with customers and suppliers alike to deliver what is possible, preserve the value chain and strengthen key third party relationships.

  • Projects and Change Management

It will be necessary to review projects previously put on hold and reprioritise those that are most urgent, in line with recovery and business resumption plans.  It is important that resources are committed to projects realising benefits and that support any changes to the business model.

  • Control design

Changes in ways of working may result in the need to redesign internal controls to ensure these are fit for purpose.

  • Fraud

Opportunities to perpetuate fraud increase not only when operating environments are challenging, but also during times of transition. Business leaders need to consider key risks and vulnerabilities. How can these risks be mitigated, and what is the organisation’s risk appetite?  Some controls may not have been fully operational during the height of the COVID-19 outbreak, so it may be necessary to undertake a retrospective review to check whether they were applied or that compensating controls were effective.

  • Cyber security

With millions of employees working from home, organisations have had to quickly adapt to keep business critical functions running, while also maintaining adequate security. Security considerations must also be taken into account as business processes change and organisations resume more normal operations.

  • Health information and data privacy implications

Organisations are collecting and processing new types of information about individuals including health status, household information and the results of any COVID-19 testing. Are associated data privacy risks being addressed?

  • Regulatory compliance

In the midst of everything that is happening and the daily challenges organisations face, it is important that eyes are not taken off the regulatory ball. Regulators will not be tolerant. There needs to be an ongoing focus on compliance and the adoption of any regulatory changes that arise, including areas such as Health and Safety.

  • Opportunity

There is an upside and downside to risk. Organisations need to be alert to the opportunities that change presents. As part of a rethink strategy, this will include embracing the now tried-and-tested smarter ways of working to drive flexibility and efficiency and to achieve sustainable benefits for the organisation and its people.

The bigger picture

Many have viewed the COVID-19 crisis as a ‘black swan’ incident – owing to its rarity, extreme impact and retrospective predictability (according to Nassim Nicholas Taleb). From a risk perspective, historically, many organisations have been reluctant to include such rare events on risk registers, since they can seem remote, unlikely and therefore not worthy of significant time and resource. However, following the financial crash in 2008, financial services firms have been required to classify low likelihood but high impact risks as high risks (red). This is because, despite the low likelihood, the organisational impact would be significant. It may now be the time for all organisations to follow suit in their assessment of low likelihood, high impact events.

What’s clear is that managing risk in a dynamic, agile way has never been more important. Organisations need to be able to manage risk in real-time, to inform the decisions management teams make as they recover from the crisis and rethink their business going forward.

If you would like to discuss any of the issues highlighted or to understand about our Risk Management software: Rhiza, please contact Robert Noye-Allen or Sarah Hillary.

Risk Management Software and Expertise: Rhiza

Request a demo link

Contact Us