Throughout the Covid-19 pandemic, organisations and risk management professionals have responded in a variety of ways to limit the impact to their operations. Whilst some have reacted quickly, demonstrating robust leadership, flexibility and effective communication, others have struggled to do the right thing at the right time, putting additional pressure on their people, processes, and systems.

Leadership has been challenged by a lack of useful intelligence and data to support business decisions, leading to knee-jerk, short-term reactions. Some supply chains were caught off guard, with limited contingency plans for strategic sourcing options in an interconnected global crisis.

The Covid-19 pandemic is not a “black swan” risk. The black swan metaphor has promoted a mentality and sense of helplessness in the face of daunting threats and provided a cover for failing to act in the face of clear and present dangers.

Covid-19 and risk management challenges

People risk: At an operational level, many businesses’ processes were found wanting around the long-term business impact on office space; for example, the ability to supply home workers with laptops, monitors and basic office furniture to make working at home possible, safe and healthy. This scenario has escalated health and safety to “people risk management”, and as such, a higher profile of most organisational risk registers.

Supply chain risk: Decisions taken to achieve capital efficiencies can change the profile and shape of risks. Manufacturing plants consolidated into fewer, larger locations to leverage production cost savings, and a reduction of suppliers within supply chains to leverage discounting can collectively impact the business model and risk profile of an organisation. Changes may intensify location and supplier risk severity profiles and amplify risk aggregation through the connected effects of change. This will in turn impact business continuity and crisis management plans, which should be adjusted after running new scenarios, integrating holistic threat monitoring and event triggers, and modifying the level of readiness and agility required to respond. We anticipate a review of supply chain risks addressing the balance between global benefits and local controls.

Business continuity and crisis management: While Airmic members report a positive experience in terms of organisational crisis management response, and that as professionals they had the right competencies and mindsets to think and act at an enterprise level to deal effectively with the Covid-19 pandemic, they also reported a more critical role for risk professionals going forward and the supplementary knowledge and skills required to achieve this. This response was most notable in crisis management, in collaborative working generally, and in understanding the interconnectivity of different risks and engaging with business, specifically. Covid-19 has amplified the challenges of a siloed approach to risk management and clearly highlighted the challenges created by a disconnect between strategic risk and operational resilience and response.

The resilient organisation

Organisations that that have a culture of risk identification, scenario modelling and mitigation, as well as a system and culture encouraging them to “speak up”, are much better placed to respond to the fluidity of crises and to embrace innovation and the potential upsides of uncertainty.

These organisations derive the strength of their culture from the tone set from the top, through visible executive support, through an active risk leadership and by demonstrating the value of risk in decision-making.

The resilient organisation requires significant board-level support but achieving and maintaining resilience and successful digital transformation is even more challenging. Research by Airmic has identified eight requirements for achieving resilience and digital transformation:

1. A risk radar that is focused on emerging risks and developments in technology
2. The resources and assets to be able to take full advantage of developments in technology
3. Relationships and networks that are constantly developed and extended
4. Rapid response supported by excellent communication within the organisation
5. The ability to review and adapt to events to protect and enhance reputation
6. Redesigned processes that embrace new technologies and encourage innovation
7. Retention of stakeholders during the transformation by analysing big data
8. Reinventing purpose by opportunity awareness, commitment and capabilities.

Corporate purpose is a way to express the organisation’s impact on the lives and objectives of its stakeholders. At no time has this been more critical than during the Covid-19 pandemic. A clear purpose inspires the organisation’s people to do good work. It can be an effective way to align effort across the organisation towards achieving a common goal. However, in a more socially connected and aware society, it is increasingly seen as a talent retention and recruitment selling point.

The pandemic risk effect

The onset of the Covid-19 pandemic challenged organisations and their leaders unlike anything else in recent memory. Many business leaders had to make decisions of strategic importance in real time, knowing that the impact on their employees and stakeholders could be extraordinary. Few decisions will have been perfect, and those made quickly and amid a panic-inducing global emergency will almost certainly require some adjustments.

As the crisis moves along, leaders need to take the opportunity to pause, record and reflect on the lessons learned. They need to avoid hard-to-reverse outcomes that may be regretted and ensure that what follows is designed and driven so that this is better. However, it is tough to look longer term when the crisis timeline loops back because of further pandemic spikes, as we all want to move towards a form of “normality” and economic recovery.

Alignment of risk intelligence and strategy

Dealing with long-term, rising-tide crises such as pandemics is not something that current organisational resilience has been set up to manage. Top management and risk professionals will need to be comfortable dealing with uncertainty, allowing them to better identify opportunities and threats, and rise to the occasion.

Organisations tend to focus on threats associated with the business environment, where materiality is clearest due to shifts in customer demand and the competitive landscape, and where they have more control over their choice of direction.

Decisions taken by an organisation to achieve capital efficiencies can change the profile and shape of risks. Post-pandemic, manufacturing plants consolidated into fewer, larger locations and a reduction of suppliers within supply chains could collectively impact the business model.

Changes may intensify location and supplier risk severity profiles and amplify risk aggregation through the connected effects of change. This will in turn impact business continuity and crisis management plans, which should be adjusted after running new scenarios, integrating holistic threat monitoring and event triggers, and modifying the level of readiness and agility required to respond.

In practice, although a robust discussion of principal risks would also likely capture high-impact/ low-probability risks such as a pandemic, few organisations currently have a formal process for identifying these risks or can specify how they apply this in practice.

While the approach for these risks should be analytical, it should also be creative and pragmatic, reflecting the complexity of uncertainties to secure buy-in and actionable results. Often there are no right answers. Assessing probability is notoriously challenging for these risks and creating angst over doing this can act as a distraction.

Risk management beyond Covid

There is a host of risks that are visible and predictable and that businesses subconsciously choose to ignore. Big problems, such as impacts from a pandemic, are often neglected until it is too late.

Based on discussions with Airmic members, there is a tendency for organisations to manage risk in business silos and for senior leaders to play down high-impact/low-probability risks until they are on the risk register. Most resource assigned to managing risk continues to be focused on neartime, downside risks, rather than risks further out on the horizon.

As the complexity of the world continues to increase, the pace of change heats up, further spikes of the pandemic potentially occur and recovery collides with further crises, these risks cannot be a strategic afterthought as we return to whatever “normal” might look like.

The frequency of risk assessment, analysis and response should be a function of how fast risks are changing and the level of their materiality, rather than be determined by traditional institutional administrative cycles. The dynamics of crisis management are different, and a crisis may overtake an organisation before the risks have been fully understood and the response options properly calibrated.

Risk professionals can have a role to ensure that strategy, tactics, and operations are fully synchronised and mindful of unanticipated eventualities. Organisations must move faster, drive innovation, and adapt to and shape their changing pandemic and post-pandemic environment. The key to successful agility is for risk professionals to develop new mindsets, for their competencies to move at the same pace and for them to operate as part of an integrated and collaborative team.

Julia Graham is deputy CEO and technical director at Airmic, the UK association of insurance and risk managers.