- Corporate Security
- Governance, Risk, and Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified June 26, 2020
While risk teams may have had pandemics included in their risk registers, COVID-19 emerged so quickly that most organizations didn’t have the chance to review or test their contingency and business continuity plans before putting them into practice.
In a recent workshop that we hosted with RIMS, we looked at the impact of emerging risks and how risk teams are at the forefront to help prepare their organizations to be more resilient in the future.
We started the session by asking the audience what they had experienced to be the biggest impact to their organization due to COVID-19.
49% of respondents said that mobilizing a remote workforce was the biggest challenge, while 15% selected financial liquidity (based on 192 responses). While not surprising that mobilizing a remote workforce was the biggest challenge teams experienced at the onset of the pandemic, many organizations claimed that although they had some plans in place, it happened so quickly that ensuring that all aspects of their business could continue to function was a hurdle.
What is an emerging risk? According to ISO, “New, previously unknown or not considered, “emerging” risks can pose the greatest challenges to resilience, safety and operational and business continuity. These “new and/or increasing” risks can be related to different areas of activities, such as new processes, new technologies, new types of workplace, or social or organizational change.”
How is an emerging risk identified? An emerging risk always starts in a cloud of fog, you can’t see it and don’t really know what it is. But over time, as you start to see the risk emerge, your team is signaled that something might be happening that could impact your organization and alerts you to start paying attention and conduct more research. The next phase is acknowledgement and acceptance of the risk. This happens when you’re able to access more data points to help you determine what the impact of the risk really is to your organization. It’s only after the acknowledgement and acceptance of that risk, that you’ll begin to see the risk management approach appearing (i.e. the management strategy or options that are in place to actually deal with the risk).
Managing Emerging Risks with Scenario Impact and Action Mapping
Generally, risks are measured by impact and likelihood. But likelihood is difficult to measure and can be subjective. It can also prolong the discussion of the prioritization of risks. A more effective method is to compare the potential impact of a risk against how much action you want to take to mitigate it through scenario impact and action mapping.
Measuring the impact of a risk goes beyond just the moment in question. For example, COVID-19 has had a very serious impact on the health of communities, but its impact can also be felt on the economy. Beyond that, there is also a reputational impact that organizations will face post-crisis. How did they handle it? Did they live up to their values? etc.
You can measure all the different risks that you might face against the action side. If there is nothing to be done to deal with the risk, it can sit below the dotted line. But if there are actions that can be taken that will have a drastic impact on the organization, those risks should sit in the top right corner.
This exercise while simple, is effective in prioritizing activities for risk teams. It can be done using post-it notes, a whiteboard or through software. Here’s an example of what this looks like using Resolver’s software:
Once you’ve determined your current situation, you’ll want to look to the future to map out potential scenarios so that your team can be as well-equipped as possible.
Use your current situation as your base case. By mapping out future scenarios in this way, you can very quickly prioritize where actions will need to be taken and when. This task only takes a few minutes and can be done by different teams. It’s a simple yet effective way to ensure you have a full picture of what could possibly come.
Triggering Response Plans
Once you have that mapped out, you can determine the management options or controls that work best for those scenarios. For example, let’s say that you have an employee abroad during the onset of the COVID-19 travel restrictions. In the earlier exercise, you would have already mapped out all of the potential risks in either bringing them back to headquarters or having them shelter in place. Your management options in this example are the controls that you set in place to offset the risks that you’ve identified. If the employee is in a country where access to healthcare is an issue and they are unable to return home, a management option here could be to move them to a hotel that is closer to a healthcare facility while still observing travel restriction mandates.
Apply each option to your scenarios and see how they change the risks. As you work through all of these, one of the management strategies will be the most effective for the majority of the scenarios. You will very quickly reach a course of action that can then be instigated and/or investigated in more depth. This is an exercise that if you keep super simple and data-free can be completed quickly and will allow you to keep up to date on the situation in real-time.
Organizational resilience requires an early identification and analysis of issues, as well as a rapid response to adjust to any emerging risks. Risk teams can use this opportunity to consider new delivery models for mobilizing and sustaining their ERM program, performing scenario analyses for emerging risks, and establishing response and recovery plans.
The final question we asked our audience was what the top priority will be for their risk team over the next 6-12 months. Of 165 responses, unsurprisingly 42% responded that their focus will be setting up a framework for future emerging risks.
Real-time risk management and continuous assessments are a great way to kick start this initiative. By ensuring that you have the most up-to-date information, you’re able to implement impactful and effective controls as necessary. Interested in learning more about leveraging technology to manage emerging risks? Connect with our team today or take a guided walkthrough of our Risk Management software.