Redefining Enterprise Risk in a Post-COVID-19 Environment

The COVID-19 crisis has outpaced the resiliency mechanisms of most global businesses, bringing two related elements into stark relief: First, the degree of businesses’ hyper-connectivity exceeded the comprehension of most organizations. Second, many firms did not account for the risks inherent in the trade-off between efficiency and resiliency. Together, these two dynamics have revealed a degree of fragility within organizations—and indeed, the overall system—previously thought impossible.

Whether or not we face a second wave of the pandemic, systemic threats—such as climate change and cyberattacks—demand new approaches to managing risk at the board level.

Planning Under Conditions of Deep Uncertainty

As the pathogen’s arc is reaching its peak in many parts of the world, the uncertainty facing boards is only increasing. The velocity with which this crisis has unfolded has challenged even the most mature resiliency plans. The human costs do not end with the fatalities as furloughs continue. Supply chains remain fractured. Third- and fourth-party risks continue to present new issues while businesses are unsure when and how to return to “normal.” And finally, leaders are overwhelmed with immediate challenges, let alone forecasting and evaluating future risk scenarios.

The sheer number of decisions facing boards and C-suites from this crisis threatens to overwhelm their ability to set risk parameters and to inhibit their strategic decision-making abilities. Natural catastrophes most often have a beginning, a middle, and an end; while we cannot see the outcome of a given storm when it materializes, we can track its path, assess the risk to facilities, and examine operational resiliency.

By contrast, the COVID-19 crisis is almost without peer, and experts cannot tell us when we will emerge from this phase of the crisis, whether the forecasted “second peak” will be as severe as the first, or the degree to which our economy will be impacted or for how long.

Simply put, this crisis demands that leaders rethink the ways in which we define, measure, and manage enterprise risk.

A New Reality

Traditional resiliency measures focused on enduring or evolving risks are not necessarily suitable when contemplating emerging risks like COVID-19. As such, the ways in which we view and measure risk at the board level must change to capture these new realities.

For too long, measuring enterprise risk has been viewed as a compliance exercise at worst and a process that seeks to protect a firm’s value at best. The immediate lesson of this crisis is that the process itself must be dynamic and owned by the board—yet traditional measures do not adequately arm the board to extend its risk horizon.

Metrics That Matter

Metrics must position the organization for decision-making under uncertain conditions and assist in parameterizing the unknown. Organizations, with the guidance of their boards, must:

• Establish measures of risk aggregation and interdependencies across the value chain. Most organizations cannot adequately describe the amount of first-party risk they face, let alone the degree of contingent business interruption that risk presents in their operations.
• Develop resiliency metrics. Organizations collect enormous amounts of data related to productivity, capacity, and delivery across their systems. However, leaders need to ask a different, yet related, question: “How much stress can my organization withstand, and at what points in the value chain while performing or meeting its obligations?” Resilient organizations are both agile and pliant. However, most lack an understanding of how stress can act cumulatively across an organization, which inhibits their ability to act with certainty.
• Create intelligence layers. The velocity of systemic risks necessitates the ability to improve sense-making in an organization and to do so before it is under duress. Firms must collect and analyze information that enables early warning of crisis events, which can provide guideposts to navigate the early days of the crisis. In this manner, intelligence layers must be fashioned that provide barometers for key decision paths.
• Evaluate counterparty risk. Organizations must not only evaluate impacts across their organizations but also collect metrics on the businesses within their supply chains and the partners on which they are dependent.

While this list is far from exhaustive, it points to the need to evaluate fragility across an organization’s value chain and, thus, enable organizations to establish a common denominator and allow different risk owners to evaluate threats and opportunities from the same reference point, such as revenue, earnings per share (EPS), or earnings before interest, taxes, depreciation, and amortization (EBITDA) impact.

Evaluating Future Risk

Closely related to the need for different risk metrics at the board level is the ability to construct risk forecasts that evaluate future risk (discounted in net present value terms). The number of organizations employing scenario-based stress testing methodologies that allow for the investigation of different outcome and assumption sets is startlingly low.

This approach not only shapes our understanding of future risk scenarios but also allows us to evaluate potential shocks across the value chain. As such, organizations can evaluate risk capital investments, including the trade-off between resiliency and efficiency, from the perspective of the potential return on investment for those measures or activities.

Further, the development of future risk scenarios must challenge the assumptions embedded in the organization’s strategies. Too often, leaders dismiss “black swan” or “gray swan” scenarios, as they are unlikely to occur. Instead, it will be important to evaluate risks across the spectrum from enduring to evolving to emerging risks and those areas where they may experience material shocks. The goal is not to forecast the future but rather to reduce and parameterize the uncertainty facing leaders today.

Ultimately, the way we choose to engage this new world will depend on how we define existing and unknown risks. This will require as much focus on continuity as we can muster to understand “discontinuity” in the system and our markets, as well as what this means for leaders evaluating and guiding organizations under uncertain conditions. Indeed, it is incumbent on us all to challenge the ways in which we have conceptualized risk as we navigate the recency bias that is certain to follow this crisis and to posture our organizations for a more resilient future.

Reid Sawyer is the head of the Emerging Risks Group and leader of the US Cyber Risk Consulting Practice at Marsh. In this role, he leads sales, strategy, and delivery of complex risk consulting services to all US clients. The group delivers integrative consulting and analytics solutions addressing strategic risks across cyber, climate, geopolitical, and other evolving threats.