What pandemic has taught us about risk
Sectors such as retail, hospitality, health care and manufacturing do not appear to show much evidence of well-structured enterprise level top-down risk management functions
As I sit at home in lockdown, I am reminded of the lyrics of Beautiful Boy containing this famous line: “Life is what happens when you are busy making other plans”. Covid-19 has thrown the spanner into the works without exception for everyone — individuals, businesses and governments alike. It has struck us all swiftly and changed our daily routines, mindsets and, perhaps, our futures in dramatic fashion.
A question that comes to mind is “Could we have anticipated this and therefore better prepared to deal with this?”
We all have to acknowledge that the risk of a pandemic has been talked about many times and parts of the world experienced the impact of Sars, Ebola and Zika in the not too distant past. A pandemic has been on the list of the World Economic Forum’s lists of top risks for several years.
Despite this, it appears that most organisations and governments were caught completely unprepared and are struggling to deal with the various unplanned aspects. In short, they are thinking on the fly.
As a risk professional, I believe this is because the non-financial sectors have not had a track record of practising “Enterprise Risk Management”, which the financial sector — thanks to regulators and the Global Financial Crisis of 2008 — have internalised in their strategic planning. And are, perhaps, better off for this.
Been around awhile
Those of us who have worked in the BFSI (banking, financial services, insurance) industry and especially in risk management are all too familiar with ERM. This discipline has been around since the 1960s and evolved rapidly into a complex science replete with sophisticated models and tools. And indeed, it is a favourite pastime of regulators. Credit for this must go to the regulators who rightfully have to “protect” financial institutions from “failing” as they hold public money. The crisis of 2008 also provided impetus for development of ERM.
Financial institutions are required to have a strong and functioning risk management structure that is independent, knowledgeable and accountable to regulations. They must demonstrate risk frameworks that mitigate all types of risks — those known and less known across the probability/impact spectrum and based on a variety of scenarios).
Less equipped
In contrast, other sectors such as retail, hospitality, health care, manufacturing, (and the list can go on) do not appear to show too much evidence of well-structured enterprise level top-down risk management functions and discipline.
This is borne out by a 2017 Global ERM survey carried out by RIMS (Risk Management Society) with nearly 400 senior executives across 14 industries including financial services. Nearly two-thirds of respondents were from large companies with revenues of $500 million and 80 per cent of respondents were from the US. About 92 per cent of respondents from the financial services sector said that ERM is either fully or at least partially integrated in their companies, implying that it is practised in a structured fashion at the corporate and business unit level. In contrast, only 50 per cent of respondents from non-financial sectors stated their organisations were practising some sort of an ERM programme.
It would be a fair assumption that, if in large companies in developed markets in non-financial sectors this is the picture, in emerging markets and at smaller companies, ERM would be a bridge too far.
Deployed by all
ERM as a discipline offers many tools and concepts that enable any entity to proactively identify, assess, mitigate and monitor key risks in a structured fashion. These are not just limited to “event risks” like Covid-19 or a geopolitical catastrophe. It can be any major risk that prevents reaching strategic objectives at an organisation. Other major categories addressed by ERM can be strategic risks — business model disruption and disintermediation — or operational (risk of human, technology and process failures or fraud).
These can also be legal and regulatory risks. Senior management and boards in organisations that have not invested in ERM need to make amends by first getting a buyin for initiating dialogues at their level and building awareness through specialists or external interventions.
It would be useful thereafter to embark on a structured process of risk identification, assessment, mitigation, monitoring and cascading ERM in the firm. All of this would have to be supported by proper governance and metrics to ensure progress is sustained and measured.
ERM is a journey ...