The COVID-19 pandemic is an unprecedented crisis which amplifies the importance of future-orientated and robust Risk Management for organisations.
The current COVID-19 pandemic proves that we live in an increasingly complex and interconnected world. A health pandemic no longer only impacts the health of people, but also has a severe impact on society and the global economy.
As organisations rush to set up networks for remote working and other measures to get through this crisis, the role of Risk Managers is suddenly perceived as critical and placed in the spotlight. As a result, Risk Management – regardless of its shape and position in an organisation – has become increasingly relevant to ensure organisations have the capability to respond to both routine and unforeseen obstacles.
In the past, in many organisations Risk Management struggled to earn its rightful place within the organisation and to generate or show its value. As organisations continuously found ways to expand and innovate their business, the role of Risk Management in some cases changed to a largely complementary service to other functions and projects deemed to be of greater value to the organisation. However, as mentioned in the article 'Every company now wants a risk manager' (Elk bedrijf wil nu een risicomanager) published by Het Financieele Dagblad on 7 May 2020, organisations are now looking at Risk Management to help them overcome the current COVID-19 crisis and prevent or reduce the impact of a next crisis.
A seasoned Risk Manager will see this focused attention on Risk Management as an opportunity to bring in their value to strengthen the organisation for future disruptions.
The mission of Risk Management is and should remain supporting the organisation in achieving its objectives. Unfortunately, with a more diverse and complex risk landscape, the reality is that Risk Management (often smaller in size and budget compared to other departments), faces knowledge and capacity challenges in fulfilling this mission. This new set of challenges implies that Risk Management requires a new set of capabilities to understand the risk exposure and advise the business how to respond quickly, both during and after the COVID-19 crisis.
As we start to phase out of the lockdown and slowly move back to normal, Risk Management should ensure that the organisation looks towards to the future. This requires engagement and collaboration between Risk Management and the rest of the organisation to ensure the business moves smoothly through the anticipated phases, which requires:
Reaction , to assess what the 'new normal' will entail for the organisation and evaluate the possible medium to long-term impact of the recent lockdown on the economy and the organisation. COVID-19 proves that risks are interconnected and can impact the entire value chain. Therefore, Risk Management needs to break into 'silos' and integrate information from the entire organisation as well as from external stakeholders in this assessment. Additionally, there is an increased need for Risk Management to use scenario planning to assess this uncertain future. Time is of the essence during a crisis and therefore a rapid response is required.
Resilience , to determine what organisations can do to limit the negative implications of future events, Risk Management needs to consider whether they are looking at the right risks, and at the same time pay attention to new emerging risks and potential 'black swans'. The business disruptions caused by the COVID-19 pandemic show that external risks can be far more damaging than merely the internal risks on which Risk Management's main focus has been in many organisations. However, as these external risks will prove more difficult to prevent, Risk Management needs to pay more attention to Business Continuity Management. By identifying the 'crown jewels' – i.e. assets that are most critical – and exposing the expected risk containment effects, organisations can create a more resilient business model.
Recovery , involves taking relevant actions to ensure risk assessment and control activities are aligned to take rapid actions in case a risk materialises. The COVID-19 pandemic led to a world in a permanent state of change. Thus Risk Management also needs to continuously assess the recovery strategy. Additionally, recovery also presents an opportunity to promote improved preparedness and assess the organisation's risk and control environment. Does the organisation still have the correct mix of controls in place, or is the company over- (or under-)controlling?
A New Reality , as the organisation plans for a future after COVID-19 and determines what the company aims to achieve and how it will position itself in the 'new normal', Risk Management needs to assess what this will mean for the risk exposure. Additionally, while the organisation gradually phases out of the lockdown, Risk Management policies and procedures need to change. There is a lot for Risk Management to consider, including:
It is inevitable that the organisation will be negatively impacted, but understanding risk interconnectedness and the velocity at which the risk may materialise, can help organisations minimise the downside effect of the risk. By exposing the expected containment effects, organisations can build more pertinent risk mitigating actions.
As the need arises to gain a deeper understanding of the effect of COVID-19 on the future of the organisation, the role of Risk Management will remain critical to the success of the organisation. Risk Management will be required to ensure appropriate actions are taken to mitigate the impact of disruptions by developing and implementing enhanced risk management practices.
In practice we already start to see a shift in the role of Risk Management, from a complementary service to a strategic business partner. However, there may still be a long way to go in some organisations. Hopefully, Risk Management will grab the opportunity that COVID-19 created to accelerate this shift.
KPMG has developed an easy to use self-assessment tool which aims to facilitate a risk assessment of your organisation's response to COVID-19. The risk assessment has been divided into ten risk categories, for which a number of questions has been formulated. This will provide you with an assessment score for each category as well as an overall assessment score for your organisation, for evaluating the readiness to move into the next steps of resilience, recovery and adjusting to the new reality. Please contact us and we will share this free tool with your organisation as well as some guidance to interpret the results.
As there is no one-size-fits-all approach for Risk Management, the measures taken need to be tailored to the organisation's goals. We will be happy to answer any questions that you may have regarding this important topic and will gladly explore with you how Risk Management can be more relevant and become a key business partner within your organisation.
© 2021 KPMG N.V., a Dutch limited liability company and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.