Junita van der Colff, Managing Director, Protean Business Solutions at Aon Risk Consulting Solutions South Africa
As the whole world knows, we’re in an unprecedented crisis, and many of us have been caught unawares by the COVID-19 global pandemic, and or underestimated its impact, much of which remains unknown, even though, there have been warnings in our recent history.
Since 2010, Bill Gates has been warning the world that we are unprepared for a pandemic. After interviewing him in 2015, Ezra Klein of Vox wrote that, “A pandemic disease is the most predictable catastrophe in the history of the human race, if only because it has happened to the human race so many, many times before.”
As companies struggle to get to grips with the many unanticipated challenges emerging from the pandemic, they should now more than ever need to understand the need to change their approach. Risk management in isolation will not improve a company’s overall resilience or response to the challenges, or the unqualified consequences, where a holistic business approach is required to positively change ‘the curve’.
There are four aspects to resilience that companies must internalise:
ANTICIPATE
We need to improve our ability to anticipate, essentially this refers to our ability to assess our internal and external operating environment and identify the risks and opportunities faced to reach our strategic objectives. Humans are inherently not very good with anticipating, and a common response is ‘it has never happened’ or ‘that will never happen’. Risks are often managed and viewed in silos, with each specialist risk area just looking at the risks related to them rather than the whole. Risk Management as a discipline has evolved and should be a strategic enabler of a more ‘enterprise’ view.
Enterprise risk management has undergone vast changes
In the past, companies were most concerned with mitigating losses. Risk management was seen as a ‘tick-box’ exercise that companies complied with grudgingly. Risk managers were identified to manage risk and a silo approach prevailed, with various departments like health and safety or finance taking on responsibility. Companies focused on operational risk (that which they could control easily) and applied different risk methodologies in various specialist risk areas. A static risk register on an Excel spreadsheet was the norm.
Today, we are far more focused on creating AND protecting value.
Risk is integrated into business and presents various opportunities to build and safeguard resources. All staff should have a sense of ownership, applying a holistic risk and opportunity methodology and using dynamic, up-to-date information that is always freely available. Companies should consider strategic and project risk as well as operational risk, looking for value-adding information that brings about better decision-making.
What are the benefits of enterprise risk management?
Risk management should be a combined effort, with the risk team, business and assurance providers working together. Proactive behaviour should be the order of the day, with teams focusing on anticipating uncertainties and crises.
The aim is ultimately to put an early-warning system in place. If we can spot ‘red flags’, we can act promptly and with confidence. Providing combined assurance is an extra line of defence during a crisis.
It also creates stakeholder trust if shareholders, customers and the public know that your company is managing its risks effectively.
Some key actions:
• Understand the external and internal context – gather as much information as possible.
• Identify possible risks and understand the contributing factors.
• Rate risks to enable prioritisation of limited resources - What is the likelihood of each risk, and what would the impact be?
• Understand what you are already doing to respond to the risk.
WITHSTAND
We need to ask ourselves if our businesses have the operational resilience to withstand these events.
Millions of companies worldwide – restaurants, bars, theatres, gyms, cinemas, casinos – are either restricting operating hours and visitor numbers or closing their doors. Have we built in operational resilience and do we understand our response to ‘red flags’?
Some key actions:
• If you don’t have an adequate mitigating response in place, identify action plans, assign action-plan ownership, and stipulate due dates.
• Identify and track key risk indicators or red flags.
• Build operational resilience by identifying and addressing single points of failure.
RESPOND
Emergency response: An immediate response to an incident, where actions need to be taken swiftly to safeguard life, looks at limiting injuries and preventing the escalation of physical damage to assets. In the current crisis, it means safeguarding the wellbeing of staff and guests, putting disinfecting measures in place, and possibly shutting down affected premises temporarily.
Crisis management: Senior management must engage in strategic decision-making and provide leadership during the event/incident. This includes ensuring that the brand’s image and reputation remains untarnished. Is the brand making the right decisions at the right time and informing stakeholders on a regular basis? Can you be sure of stakeholder confidence at this time? What is being reported in the media?
Some key actions:
• In terms of reporting incidents/potential cases of COVID-19, develop and test an appropriate protocol that is aligned with the World Health Organisation and local authorities.
• Activate crisis management plans (including crisis communications) to discuss a strategic enterprise-wide response.
RECOVER
Finally, we need to consider what it will take to recover – do we have a Business Continuity Management (BCM) plan in place?
Business Continuity: Can your company recover or continue with urgent or critical business processes and meet the predetermined Recovery Time Objective (RTO) to minimise the impact on the organisation?
Disaster recovery: Do you have plans and processes in place that will help you to restore IT services, if applicable? These services frequently support the business within the acceptable RTO.
Companies that rely on outdated business models should change their approach and focus on building resilient ecosystems that can adapt. Importantly, companies should be able to adopt more flexible ways of working and trust their employees to drive business forward in a way that differs from ‘business as usual’.
Some key actions and thought-provoking points:
• Your crisis management team should invocate a business continuity management plan.
o If a BCM plan is in place, this will need review.
o New lessons have already been learned – document these for review and updating of the plan.
• Now more than ever is the time to revise and update your various business impact drivers and present documented responses to the various vulnerabilities identified.
• An opportunity now presents itself to be braver, by way of unpacking ‘doing business differently’ for the future, that will churn the margins and mitigate the impacts of future crises like pandemics.
• We would hazard the use of Artificial Intelligence (AI) and robotics will be accelerated within business at large
o will this be your business?
o to what degree?
o how will your suppliers and clients implement AI and how will this impact your present business resilience plans?
• It is essential to now follow your documented standard operating procedures. These have been tested, however there is now also a need to be flexible where in this crisis, the SOP/s are found to be not resilient enough.
In conclusion, people for the most can be seen to respond differently, some with panic and fear – it is a natural response. However, good leadership can mitigate this, by reassuring staff and customers, making educated decisive decisions based on the responsible, qualified approach.
COVID-19 will have a dramatic impact on our economy, but economic concerns should not override the legal and moral obligations that companies and governments have towards their employees and citizens.