Topics: Risk Management
Topics: Risk Management
May 5, 2020
May 5, 2020
The COVID-19 crisis has outpaced the resiliency mechanisms of most global businesses, bringing two related elements into stark relief: First, the degree of businesses’ hyper-connectivity exceeded the comprehension of most organizations. Second, many firms did not account for the risks inherent in the trade-off between efficiency and resiliency. Together, these two dynamics have revealed a degree of fragility within organizations—and indeed, the overall system—previously thought impossible.
Whether or not we face a second wave of the pandemic, systemic threats—such as climate change and cyberattacks—demand new approaches to managing risk at the board level.
As the pathogen’s arc is reaching its peak in many parts of the world, the uncertainty facing boards is only increasing. The velocity with which this crisis has unfolded has challenged even the most mature resiliency plans. The human costs do not end with the fatalities as furloughs continue. Supply chains remain fractured. Third- and fourth-party risks continue to present new issues while businesses are unsure when and how to return to “normal.” And finally, leaders are overwhelmed with immediate challenges, let alone forecasting and evaluating future risk scenarios.
The sheer number of decisions facing boards and C-suites from this crisis threatens to overwhelm their ability to set risk parameters and to inhibit their strategic decision-making abilities. Natural catastrophes most often have a beginning, a middle, and an end; while we cannot see the outcome of a given storm when it materializes, we can track its path, assess the risk to facilities, and examine operational resiliency.
By contrast, the COVID-19 crisis is almost without peer, and experts cannot tell us when we will emerge from this phase of the crisis, whether the forecasted “second peak” will be as severe as the first, or the degree to which our economy will be impacted or for how long.
Simply put, this crisis demands that leaders rethink the ways in which we define, measure, and manage enterprise risk.
Traditional resiliency measures focused on enduring or evolving risks are not necessarily suitable when contemplating emerging risks like COVID-19. As such, the ways in which we view and measure risk at the board level must change to capture these new realities.
For too long, measuring enterprise risk has been viewed as a compliance exercise at worst and a process that seeks to protect a firm’s value at best. The immediate lesson of this crisis is that the process itself must be dynamic and owned by the board—yet traditional measures do not adequately arm the board to extend its risk horizon.
Metrics must position the organization for decision-making under uncertain conditions and assist in parameterizing the unknown. Organizations, with the guidance of their boards, must:
While this list is far from exhaustive, it points to the need to evaluate fragility across an organization’s value chain and, thus, enable organizations to establish a common denominator and allow different risk owners to evaluate threats and opportunities from the same reference point, such as revenue, earnings per share (EPS), or earnings before interest, taxes, depreciation, and amortization (EBITDA) impact.
Closely related to the need for different risk metrics at the board level is the ability to construct risk forecasts that evaluate future risk (discounted in net present value terms). The number of organizations employing scenario-based stress testing methodologies that allow for the investigation of different outcome and assumption sets is startlingly low.
This approach not only shapes our understanding of future risk scenarios but also allows us to evaluate potential shocks across the value chain. As such, organizations can evaluate risk capital investments, including the trade-off between resiliency and efficiency, from the perspective of the potential return on investment for those measures or activities.
Further, the development of future risk scenarios must challenge the assumptions embedded in the organization’s strategies. Too often, leaders dismiss “black swan” or “gray swan” scenarios, as they are unlikely to occur. Instead, it will be important to evaluate risks across the spectrum from enduring to evolving to emerging risks and those areas where they may experience material shocks. The goal is not to forecast the future but rather to reduce and parameterize the uncertainty facing leaders today.
Ultimately, the way we choose to engage this new world will depend on how we define existing and unknown risks. This will require as much focus on continuity as we can muster to understand “discontinuity” in the system and our markets, as well as what this means for leaders evaluating and guiding organizations under uncertain conditions. Indeed, it is incumbent on us all to challenge the ways in which we have conceptualized risk as we navigate the recency bias that is certain to follow this crisis and to posture our organizations for a more resilient future.
Reid Sawyer is the head of the Emerging Risks Group and leader of the US Cyber Risk Consulting Practice at Marsh. In this role, he leads sales, strategy, and delivery of complex risk consulting services to all US clients. The group delivers integrative consulting and analytics solutions addressing strategic risks across cyber, climate, geopolitical, and other evolving threats.