COVID-19: What have risk managers learned from the pandemic?
14 April 2020
WHAT HAVE risk managers learned so far from the COVID-19 global pandemic? As Bob Sibik rightly observes, the most successful organisations will be those that conduct post-incident reviews, identify issues and strive to ensure remediation occurs.
There are several lessons to be learned from the COVID-19 pandemic that has swept the globe. Threats are endless and you cannot anticipate every one, so you must be prepared for responding to the consequence of an event. Risk-focused professionals must achieve a balance in strategy between preventative measures and effective response. This can be depicted using the 'bow tie' model with the left side representing all of the preventative and detective measures, the knot representing the disruptive event and the right side representing response, crisis management, recovery and restoration activities.
The ecosystem must be resilient. Organisations have become highly dependent on external parties to provide products, services or raw materials to their operations and financial success. They need to ensure they have multiple and diverse sources available to ensure they can continue operations.
Data and information are more valuable than plans. Business continuity plans can provide guidance and direction, but can never provide specific enough instructions to deal with every possible disruption. Information on the current situation, impacts and organisational dependencies has proven to be much more important when it comes to addressing the crisis.
What risks should you focus on now to help ensure your organisation's resilience as the pandemic progresses? The most important ones are cyber risk, the loss of key personnel and supply chain risk. Let's take a look at each in turn.
Cyber threats are on the rise due to the increasing number of people working from home on personal devices. In terms of personnel, many organisations have a single point of failure with certain skills or subject matter expertise. Should one of their key resources become incapacitated, they might be unable to continue operations. For their part, some critical elements of the supply chain may not restart effectively, if at all. Organisations need to determine when and how effectively critical product, service, transportation or material suppliers will recover.
Shared information for greater resilience
How can information be shared across business continuity and operational risk to enable greater resilience? Surprisingly, this is a greater challenge than one would think. Organisations should build an information foundation by implementing a single database, or investing in integration technologies to link multiple sources of record. Unfortunately they haven’t because of the following challenges: rationalisation, common metrics and assessment methodology.
Risk has typically defined the estate (ie the organisation) differently than the process mapping done by business continuity exercises.
Although both disciplines measure impact, they often use different scales. Business continuity managers have long used velocity, a concept that has only been used by risk managers for a little more than a decade. Risk managers, meanwhile, have always included the likelihood to prioritise investment, whereas business continuity professionals have only considered the consequence.
Although both strive to understand criticality and impact, the questions used to collect data, the sources used to provide data and the frequency of the data collection itself are different in most organisations. This results in differing views of criticality, conflicting strategies and ineffective investments orchestrated to reduce risk and disruptive events
How does this influence operational risk management programmes moving forward?
The most successful organisations will conduct post-incident reviews, identify issues and ensure remediation occurs. They will focus their energies on resilience, building a common information foundation that's kept current and accurate. They will also map organisational and ecosystem dependencies to understand how their organisation can be disrupted and how a disruption might ripple through their organisation.
Bob Sibik is Senior Vice-President and Co-Founder at Fusion Risk Management