The COVID-19 pandemic has caused global disruption that is testing businesses' financial, operational and commercial resilience. Against this backdrop, organizations have had to mobilize swiftly and operate in new ways, making decisions to protect their assets and adapt to this evolving environment — from activating business continuity planning and protecting people to managing cash and liquidity.
While these strategies have allowed some organizations to further build resilience, there are structural and long-term implications that need to be better understood. A unique challenge for organizations is to progress from business continuity and crisis plans — typically designed for days and weeks — to manage and succeed through a period of extended uncertainty.
The changing ERM landscape
Businesses were already working hard to remain relevant in the face of transformative trends such as relentless technology innovation and changing customer expectations. COVID-19 is arguably accelerating these trends, where digitalization, remote working, tighter information security and supply chain rationalization may well become 'the way we do things.'
In addition to the pandemic, other risks have the potential to make or break organizations, such as geopolitical shifts (trade tensions, security threats), climate change and sustainability (greener technologies, chronic weather changes), disruptive technologies (artificial intelligence and the Internet of Things) and cyber threats.
The journey to this new reality will likely take a different trajectory across organizations and sectors. Some industries will need to transform by modifying their business-as-usual practices or even going through a hard reset (due to permanent market changes). Others may conversely benefit from exponential growth as altered customer behaviours are sustained in their favour.
In this climate, audit committees need to ensure leadership is pressure-testing and future-proofing their business model to manage existing and emerging risks — and to take advantage of emerging opportunities. With great uncertainties still ahead, they must take another look at the increasingly intertwined strategic and risk decision frameworks that hold it all together.
Why standard risk management doesn't work anymore
The maturity of an organization's resilience has real potential to dictate success or failure. Standard risk management, often siloed, static, focused on discrete events and residing several levels below top decision-makers, is just not good enough.
COVID-19 has revealed how connected our world is: We live in multiple intertwined networks, both physical and digital. In simple terms, it means that elements of a network interact with each other, and any change in one area of that network can and will influence the rest of the network — similar to the chain analogy where the strength of a chain is only as strong as its weakest link.
While connectivity offers opportunities — social media connects people and the Internet connects ideas and knowledge — it also presents risks. COVID-19 has demonstrated the significant risks of being part of a network, as it continues to affect all aspects of our life from health and wellbeing to the economy, employment and financial markets. The Great Depression, dot-com bubble, 9/11 and 2008 financial crisis were all disruptive events that created unprecedented, severe aggregate downside scenarios.
The maturity of an organization's resilience has real potential to dictate success or failure. Standard risk management, often siloed, static and focused on discrete events, is just not good enough.
Connecting the dots for true risk management
Risk lies in the gap between the highly interconnected world we live in and traditional risk management programs. Audit committees need to connect the dots and bridge that gap to drive greater value, insights and accuracy from their risk management. They need to develop true strategic risk management capabilities by integrating them with strategy development.
Imagine a risk management scenario that recognizes an organization not as a single 'entity' but rather as one, if not several, complex networks. Imagine if risks aren't managed in isolation; they're analyzed by how they aggregate and influence each other to uncover key pain points. Imagine if risk management goes beyond 'known knowns' to identify extreme scenarios or stress events that would put the organization at risk.
Risk management is not about being immune to every risk, but rather being prepared and resilient to adverse events. If there's a silver lining to COVID-19, it's that organizations are now looking at overall resilience, extreme scenarios and risk interconnectivities. And there's a renewed focus from the board and management in building resources and analytical capabilities for future risk and resilience.
What should audit committees be asking?
- What are our key strategic objectives and how much risk is the organization willing to take in order to achieve these objectives?
- What are the key networks in which the organization operates in? What are the critical interconnectivities or dependencies?
- What factors could create extreme stress to the organization?
- How resilient is the organization to withstand such extreme events, while remaining nimble to opportunities in light of uncertainties and changing circumstances?
- How is the organization working across the risk function, compliance, technology and business continuity planning to manage risks and increase overall resilience?