Rethink: Agile risk management on the road to recovery
Business leaders should now be planning their route to recovery and growth. They should be horizon scanning for opportunities and the emerging risks associated with this crucial next phase. Effective risk management has a crucial role to play as you rethink your business activities and establish new ways of operating.
Dynamic risk registers
In normal operating environments, risk registers are traditionally seen as helpful tools to identify, evaluate and prioritise key risks. However, during unusual times, such as the disruption and uncertainty created by the pandemic, traditional risk management tools need to be adapted and regularly updated in order to stay relevant.
An effective, practical approach is to create two distinct tools; a ‘working risk register’ to manage current risks in the reactive phase and a ‘recovery risk register’ to identify emerging risks as your business adapts to a new reality. This is a good way to keep one eye on the future while also identifying, prioritising and mitigating emerging risks.
These registers should form part of the operational daily risk management process for your leadership team. They should help build resilience into your business, reflecting the differing appetites for risk as you move through the crisis and recovery states, without losing focus on either one. This approach will help clear and well informed decision-making.
‘New reality’ risks and challenges
One challenge that organisations face as they prepare for the new reality is to rethink their business, strategically and operationally. Many aspects of their operations may have shifted permanently. Outlined below are some of the key areas in which to consider risk going forward:
Many organisations will need to rethink their business models to ensure they are aligned with changes in the wider political, business, economic and social environments.
All entities will need accurate information to support cash flow forecasting models, while underlying assumptions should be challenged regularly as new information emerges.
- Re-starting the supply chain
Contract management functions must coordinate with supply chain managers to understand issues and vulnerabilities across the value chain. Disputes may have increased so it is important to be clear on your contractual position. You should look to collaborate and negotiate with customers and suppliers alike to preserve the value chain for all and strengthen or forge new key third party relationships.
- Projects and Change Management
Your leadership need to review projects previously put on hold and prioritise those that are most urgent, in line with recovery and new business growth plans. It is important that resources are committed to projects that support any necessary changes to the business model.
Changes in ways of working may result in the need to redesign internal controls to ensure these are still fit for purpose.
Opportunities to perpetuate fraud increase during times of transition and in disrupted operating environments. You should review key risks and vulnerabilities. How can these risks be mitigated, and what is your organisation’s risk appetite? Some of your controls may not have been fully operational during the initial stages of the pandemic. You may find it necessary to undertake a retrospective review to check whether they were applied or that compensating controls were effective.
Your business will almost certainly have employees working from home. You will have had to quickly adapt to keep business critical functions running, while also maintaining adequate security. Cyber-security considerations must always be taken into account as business processes change and when you resume more normal operations.
- Health information and data privacy implications
Organisations are collecting and processing new types of information about individuals including health status, household information and the results of any COVID-19 testing. Have you addressed the associated data privacy risks?
In the midst of everything that is happening and the daily challenges your organisation faces, it is important that regulatory compliance is maintained. Regulators will not be tolerant. There needs to be an ongoing focus on compliance and the adoption of any regulatory changes that arise, including areas such as Health and Safety.
There is an upside and downside to risk. You need to be alert to the opportunities that change presents. As part of a strategy rethink, this will include embracing the now tried-and-tested smarter ways of working to drive flexibility and efficiency and to achieve sustainable benefits for the organisation and its people.
The bigger picture
Many have viewed the COVID-19 pandemic as a ‘black swan’ incident – owing to its rarity, extreme impact and retrospective predictability. Historically, many organisations have been reluctant to include such rare events on risk registers, since they can seem remote, unlikely and therefore not worthy of significant time and resource.
However, following the financial crash in 2008, financial services firms have been required to classify low likelihood but high impact risks as high risks (red). This is because, despite the low likelihood, the organisational impact would be significant. It may now be the time for your organisation to follow suit in its assessment of low likelihood, high impact events.
What’s clear is that managing risk in a dynamic, agile way has never been more important. Organisations need to be able to manage risk in real-time, to inform the decisions management teams make as they recover from the crisis and rethink their business going forward.
If you would like to discuss any of the issues highlighted or to understand about our Risk Management software: Rhiza, please contact Robert Noye-Allen or Sarah Hillary.
BDO London - Baker Street
BDO London - Baker Street
Head of Risk and Advisory Services, Midlands