The arrival of a new, highly infectious disease that spread rapidly to most of the world sent shockwaves through our lives, lifestyles and working environment. As we move into the next phase of the pandemic, what could it mean for your organisation’s approach to Enterprise Risk Management (ERM) and Business Continuity Management (BCM)?
Hugh Morris, Risk Management Consultant at Gallagher offers some thoughts on the top 10 issue organisations need to consider as we start to emerge from 12 months of a “new normal”.
1. Timescale
The identification, analysis, evaluation and treatment of risk is often visited on an annual basis, linked to the production of annual reports or similar. Organisations can be tempted, therefore, to consider largely short-term risks, and not plan to put resilience measures in place for longer-term potential threats. The ERM process should consider all potential risks, including those that may result in an enduring impact longer than the usual reporting period. Whilst many felt their ERM process already did this, reflection may indicate something very different.
2. Value of reporting
The output of ERM programmes or similar can often be in the format of risk registers, heat maps and sometimes complex reports, but do these always add significant value and insight or are they produced as a compliance exercise? Of course, those organisations that have truly embedded risk management in their business operations do use such output as part of their strategic decision-making, but for some it can be seen as ‘ticking the box’. Some organisations had identified risks considered to be extremely unlikely, but would lead to huge impact (such as pandemic disease). However, many did not take further action to consider resilience measures for such risks, mainly due to the inherent difficulty of trying to predict impact on a business, and through definition being considered very unlikely. Organisations should look at risk trends locally, nationally and internationally and consider the need for additional resilience and contingency measures.
3. Business change
In the ‘post COVID-19 world’, many organisations will never look the same again. As much as a natural focus will be on implementing new organisational models, operating procedures, etc., organisations must revisit their risk appetite as well as considering whether any new ways of working have changed their risk profile. Remember if your risk appetite has changed should your risk financing (insurance) strategy change? In addition, has the pandemic led to a very ‘operational’ approach to managing disruption, and have businesses paused, for example, the normal schedule of risk committee meetings?
4. The case for sound judgement
Over many years, the art and science of risk management has increasingly used analytical models, statistics and other quantitative methods to assess risks and the most suitable form of treatment. Such techniques can add valuable insight to the subject, but organisations should not forget they have experienced personnel who can exercise sound judgement in this area as well. Such judgement will be of high value when reconsidering the risk process in the future.
5. Simplification
Some ERM programmes have become overly complex over the years, with a tendency to complicate matters, use jargon and terminology not used in day-to-day business, and are conducted with inflexible processes. In conjunction with the previous point, we would expect to see terminology and techniques used in ERM programmes to be more familiar to senior leadership and employees, therefore better understood. In addition, this approach will enable responsibility for considering risks and their management to be better understood and embedded across the business, and not left to a single individual or department.
6. Senior Leadership focus
Historically, the senior leadership in some organisations has not necessarily provided significant input, focus or support to risk management activities. We anticipate that the experience of COVID-19 and the absolute need for Executives to be directing the management of risks in the business that have arisen through the pandemic will lead to much stronger senior leadership engagement, including accepting the need to fundamentally review organisations’ approach to ERM.
7. Change to BCM needs
As mentioned above, many organisations have already made significant changes to business operations and continue to do so; this logically means that business continuity arrangements will need review and alteration. For example, a survey by the Business Continuity Institute in May 2020 showed at that point that fewer than 25% of businesses expected to go back to their previous business models as we emerge from this phase of the pandemic. For many organisations, there will be less reliance on constant use of physical office space, and an increased reliance on remote and mobile technology. Business continuity arrangements will need revisiting in order that they accurately reflect an organisation’s new way of working.
8. Supplier and supply chain continuity
Organisations have historically considered critical and single-source suppliers, and often identified alternate sources of services, products and materials. However, the very nature of a global pandemic has meant that multiple sources of the same or similar products and services have had their own limitations. This has also occurred in the past for ‘regional’ disruptions, where there is a concentration of suppliers in a particular area. Organisations will have to consider their reliance on third parties in more detail, as well as delving into second tier suppliers and beyond to develop robust contingency solutions.
9. Risk management linkage
Even organisations with well-developed risk management programmes can often find specific disciplines are looked at in isolation, for example Health & Safety, ERM, BCM, etc. We anticipate that a more holistic approach to ‘resilience’ will be taken in the future. For example, an ERM process will identify and assess risks, additional controls (property protection, security, health & safety, etc.) can be put in place to minimise the likelihood and impact should a particular threat materialise, risk transfer decisions (e.g. insurance) will be made for certain risks, and BCM solutions will be developed to manage continuity of operations in the event of disruption.
10. Minimum level of operation
Many BCM arrangements in the past have been developed based on a ‘minimum business continuity objective’, i.e. continuing operations to a minimum acceptable level following disruption. A long term disruption such as COVID-19 has demonstrated the need for organisations to operate at 100% or even more. Most public sector and educational establishments have a ‘legal and moral’ obligation to continue to provide their services. Particular challenges here can be developing BCM solutions to an acceptable scale and scope, the ability to maintain ‘crisis leadership’ over an extended period, managing a workforce in terms of health (physical and mental), shortage of skills and the need to be able to respond to ‘surge capacity’, and being able to manage a workload backlog and changes in operations during and post-pandemic.
The future
The 2020 World Economic Forum Global Risks Perception Survey1 indicated the following top seven risks both by likelihood and impact:
Whilst risks in this survey are ‘geopolitical’ and ‘macro-economic’, organisations should assess how they may be applied to their own operations, and whether additional mitigation and contingency solutions need to be developed.
In summary, considerations for the post COVID-19 world include:
- The ‘new normal’ is still unknown for most organisations
- Likely to be a stop-start economy for a long time
- Change in people’s behaviours
- Change in workforce expectations, and a need to continually monitor and look after wellbeing
- Security of supply of goods and services
- Changed travel patterns – locally, nationally and internationally
- Changed stakeholder expectations
- Increased need for senior leadership assurance on strategic direction, and more involvement in considering risks and appropriate responses and resilience measures
Gallagher’s enterprise risks management specialist work closely with our Public Sector and Education team to ensure our clients are armed with the knowledge and tools to effectively manage the risks they face. If you would like to have an informal discussion with any of the team please contact your usual Gallagher representative.
1. The Global Risks Report 2021 | World Economic Forum
Gallagher is a risk management, insurance and HR/benefits consultancy and will be sharing their views in that capacity. This article is not intended to give legal or financial advice, and, accordingly, should not be relied upon for such. This should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this article we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained herein. It reflects our understanding as at the date of the article but you will recognise that matters concerning COVID-19 are fast changing across the world. You should not act upon information nor determine not to act, without first seeking specific specialist advice. Our advice to our clients is as an insurance broker and is provided subject to specific terms and conditions, the terms of which take precedence over any representations in this article. No third party to whom this is passed can rely on it. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide herein and exclude liability for the content to fullest extent permitted by law. Should you require advice about your specific arrangements or circumstances, please get in touch with Gallagher.
