The rapid spread of the coronavirus forces us risk managers to face the facts: while we were busy with the nitty-gritty of our business, we didn't pay enough attention to the risks that really mattered.
Penny wise, pound foolish. Risk managers have their preferences for the type of risk they like to tackle. First, let me take a look at myself: KPMG also contributes to this, by focusing on services regarding the management of financial, operational and compliance risks. While we know very well that - in short - there is more between heaven and earth than a dense mileage registration process. Don't get me wrong: such a sound process is important, because it can cost you money if you don't arrange it properly. But does that risk get a proportional share of our time and attention, weighted according to its importance for your organization?
One of the lessons from the spread of the coronavirus is that this is not the case. Now that a microorganism is paralysing entire industries and shutting down entire countries, risk managers are asking themselves the question: what did we miss? They will then conclude - and rightly so - that they did not actually miss so much. Climate change, disruptive technology, geopolitical shocks, terrorism, infectious diseases, go on and on: we do realise that these risks exist and they have probably been the subject of a session with the board of directors or another important body. But then the theme was 'parked'. After all, what are you going to do about it? And also: isn't this about risks that, when things go wrong, hit our competitors just as hard as they hit us? Wouldn't it be better to focus on the risks for which we can devise effective control measures?
Understandable this reasoning may be, it does not make sense. A goalkeeper who sees four attackers coming towards him, with no defenders in sight, doesn't run off to the first attacker so that 'he at least can't score'. Instead, the goalkeeper keeps his eye on the ball, and will tackle the attacker who threatens to score. After all, goalkeepers are there to prevent goals, not to eliminate random (harmless) attackers.
What we did miss is that 'parking' these risks is not a good idea. We have been missing that we spend a disproportionate amount of our time and attention to risks that are not vital to our business model. Maybe we missed that we should be a bit more ambitious. Because are these indeed risks 'you can't do anything about'?
There are examples suggesting the opposite. Such as the brewer acknowledging that the societal debate about the health effects of alcohol cannot go on without consequences. So he is developing alcohol-free products. Or like the clothing manufacturer that operates production sites all over the world in order to spread geopolitical risks. Incidentally, that clothing manufacturer was also prepared for the coronavirus outbreak - perhaps without realising it - because production is not concentrated in China only.
In other words: I advocate risk management that focuses on the risks that affect the business model the most, the risks that affect the real value of the organization. Don't skip anything, don't park anything and never think: this kind of disaster will pass us by. Because that's what the coronavirus teaches us: the chance of disasters (big or small) passing us by in our increasingly globalizing world is getting smaller and smaller. So map out your risks, weigh them and cluster them and give each cluster the time and attention it deserves. In this way you will increase the chance that you will be better prepared than your competitors for the next 'disaster'.
© 2021 KPMG N.V., a Dutch limited liability company and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.