Effective Risk Management in Context of the Pandemic
This is a guest post from Michael Rasmussen of GRC 20/20.
The COVID-19 pandemic has caught a lot of organizations by surprise. But, should it have?
We have had pandemics in the past—history teaches us this over and over. The World Economic Forum has regularly reported pandemic risk on their global risk reports over the years. Political and business leaders have warned us of pandemics.
So, why has it caught so many organizations off guard?
The problem: an unbalanced view of ERM
The reality is that organizations have not had a balanced view of enterprise risk. Too many enterprise risk management programs (including corporate risk management and operational risk management) have been focused on highly visible risks, such as IT security, while not paying attention to the significant, but low-likelihood, risks like a pandemic.
Risk management will fundamentally change because of the COVID-19 pandemic. We will see a lot of enterprise risk management (ERM) programs become more balanced and monitor a broader array of risks that can impact the organization and its objectives. As a result, we will see greater focus on environmental risks such as climate change, health and safety risks, quality risks, third-party supplier risks, and more.
There is, and will continue to be, a growing breadth of enterprise risk management and risk ownership by executives and business operations. We will see a growing number of organizations expand and invest in enterprise risk management programs coming out of the pandemic.
Staying resilient in light of challenges
Another significant change in risk management will be a greater focus on operational resiliency. Before the pandemic, the United Kingdom has already been leading the world in operational resiliency regulation with the combined effort of the Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), and the Bank of England (BoE). Organizations can expect that there will be global interest in operational resiliency regulation across industries and jurisdictions to ensure that organizations and entire industries are prepared for the next crisis.
Operational resiliency requires an integrated approach to risk management, particularly operational risk management, and business continuity management. I have been stating for 15 years that risk and business continuity management need to come together and be under one function and not continue to operate independently of each other.
Too many business continuity programs were caught off guard by COVID-19, as they were nothing more than IT disaster recovery functions and did not prepare organizations for a crisis like we now face. Business continuity will grow, expand, and mature because of the pandemic and will become an integrated part of risk management programs to deliver operational resiliency to organizations.
The outcome of the pandemic
The overall outcome of the pandemic on risk management will see organizations adopt stronger strategies for governance, risk management, and compliance (GRC). OCEG defines GRC as a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).
The use of technology for GRC, and in the specific context of risk management and operational resiliency, will expand in organizations. Organizations will look for technology that enables an enterprise view of risk that is linked to objectives of the organization.
Technology should enable organizations to plan for risk scenarios and monitor an enterprise view of risks. All organizations should strive to stay agile for the next crisis, to be able to monitor risks as they develop, and to model the impact of the risk on objectives so the organization can plan and remain agile in the midst of uncertainty.
Bonus content: free COVID-19 templates from AuditNet and Workiva
To help your organization avert risk, no matter what software you use, we collaborated with AuditNet to create four critical templates, covering risk management, business continuity, preparedness and planning review, and more.
Download them now, and keep your organization running smoothly despite the risks of COVID-19.
For more information on making sense of what’s happening in the world of risk and how to keep your team on track, visit our Handbook for the New Normal of Accounting, Finance, and Risk.
About the Author
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC)—with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 22+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC,” being the first to define and model the GRC market in February 2002 while at Forrester.