The COVID-19 pandemic is, with little doubt, the most challenging crisis many people will see in their lifetimes and without a doubt, it will be the more challenging crisis that many businesses will face. To successfully navigate these challenging times, firms will need to take a strategic approach; first and foremost, they must protect their existing business and then, look to grow its value as opportunities will no doubt emerge.

Firms who have implemented and embedded an integrated, enterprise approach to risk management will be best positioned for survival and growth at these uncertain times. Such an approach should include;

• Business Model and Strategy, including a suite of Business Objectives

• Risk Appetite and Risk Capacity

• Scenarios

• Financial and Non-Financial Risks. These risks will exist at the Enterprise, Market, Compliance, Technology and Operational level.

A holistic enterprise risk management approach will set the context for your COVID-19 response and recovery.

To effectively respond to COVID-19, firms should quickly review and update any existing response plans (often referred to as a business continuity plan, incident management plan, or crisis management plan) to take into account the specific details of COVID-19.

I would recommend that your COVID-19 plan should be made up of a series of ‘crisis levels’ so that your response can quickly evolve as the nature of this pandemic evolves and changes. For example, for COVID-19, your crisis levels could include;

• Level 1 – Minor disruption to business activities

• Level 2 – Major disruption of business activities

• Level 3 – Partial cessation of business activities

• Level 4 – Complete cessation of business activities

• Level 5 – Firm Recovery or Resolution

At each level, we would recommend you include in your response plans the following eight critical components.

1. Business Impact Assessment (BIA)

Building on your existing enterprise risk assessment process and methodology, undertake a Business Impact Assessment to ensure that the impact of COVID-19 is fully considered, well defined and to identify potential gaps that currently exist.

The Business Impact Assessment should be used to create a shared understanding of the crisis across your business; the board and executive should be heavily involved in conducting the BIA and results should be shared within the firm, as widely as possible. Of course, with appropriate consideration given to protecting sensitive information that will be in BIA.

2. Financials

Determine how to stabilise your financial position to ensure you can survive the crisis in the short term, minimise damage to the business in the medium term and position the firm for growth in the long-term.

Quickly getting clarify on your cash, capital, liquidity and profitability over each of these time horizons is the key to successfully responding to COVID-19.

3. Objectives

Determine a set of very clear objectives for each stage of the crisis and be clear about accountabilities per objective. In the early stages of a crisis, it is reasonable to maintain your focus on pre-crisis objectives mostly; however, as the crisis evolves and deepens this may change.

As your firm moves through the various levels of a crisis; the number of objectives should be reduced to create focus, minimise distractions and ensure effective deployment of resources.

You should get to a point where the board and executive are focused on a small number of well-defined objectives, with clear accountabilities and a clear understanding of the ‘road-map’ which signal where the focus will move to, should the crisis go to the next level. Of course, this road-map must also signal when and how we recover the business and move to (a new) normal operating environment.

4. Critical activities, systems and assets

As the COVID-19 crisis evolves, your definition of what is critical to your business will change. Therefore, it is important to define, for each crisis level, clear, immediate objectives and a set of essential activities (processes and initiatives), systems and assets to be protected and managed.

For your firm to successfully get through COVID-19, and to be positioned for rapid recovery, your brand, your people and your information assets are going to be particularly important. Therefore, particular care must be given to managing these through the crisis.

If your firm has implemented the CIA triad (confidentiality, integrity, and availability) for information assets, use this prioritise and re-prioritise as the level of crisis changes.

Review your process architecture and portfolio of change initiatives to determine what is the earliest point when individual processes and initiatives can be shut down and restarted. If your firm uses the ‘big three’ business continuity indicators; Recovery Time Objective, Recovery Point Objective and Maximum Tolerable Period of Disruption, these should inform decision-making as the crisis evolves.

5. Risk Management, particularly 3rd Party Risk & Counterparty Risk

In any crisis, particularly one of the size and scope of the COVID-19, firms must continue to undertake their risk management activities. As per other critical activities, the level and nature of risk management activities undertaken during a crisis should reflect the crisis level which your firm is operating at. Given the nature of COVID-19, Financial, People, 3rd Party and Counterparty risk will be particularly important.

In addition to managing business-as-usual risk activities, a crisis such as COVID-19, will, without doubt, lead to gaps in the firm’s enterprise risk management framework and processes surfacing.

New risks that are directly related to the crisis will need to be managed as per existing risk management processes. Whether these risks become part of the business-as-usual risk management framework, is a decision for post-crisis.

6. Measurement

The old mantra of ‘can’t manage what you don’t measure’ applies during the COVID-19 crisis; however, what you measure should change in three distinctive ways.

1. Reduce your business-as-usual measurement

To reduce your people’s workloads, and to create focus, reduce the amount of measurement in line with decisions around the firm’s objectives, risks, and critical activities, systems and assets.

2. Use measurement to trigger changes in your response

Use measurement, along with updated risk and business impact assessments, to trigger changes in your response to the crisis. With COVID-19, there are good data sets available which can be included within your decision-making processes. This includes external data sets such as inflection rates, inflection growth rates, death rates. Additionally, national and local governments are communicating actions that the population must take, which will be vital in your respond decision-making.

3. Add measurement to track your response

Add a new, limited set of metrics to track how well your firm is responding and aligned these measures to your (new) prioritises. Change these metrics as your firm moves to different crisis levels.

7. Response Plan and specific tasks

The response to COVID-19 will be driven by a series of very specific, short-term (hopefully) response plans and tasks with clear accountabilities that need to be executed as quickly and effectively as possible. If your firm creates a specific COVID-19 crisis management team or manages through existing management structures, having clear visibility to the status of your response plans and associated actions will be vital. Response plans should signal what will need to be done next at each step, which of course can and probably will change rapidly and often.

8. Communication Plans

Finally, no document about responding to COVID-19 would be complete with mentioning communication. The way that your senior leaders and the firm as a whole communicate to your firms’ stakeholders, both internal and external stakeholders will be vital in navigating this crisis and positioning your firm for recovery and post-crisis growth.

This blog post was originally written by Andrew Smart and posted here

In 2014, the world avoided a global outbreak of Ebola, thanks to thousands of selfless health workers -- plus, frankly, some very good luck. In hindsight, we know what we should have done better. So, now's the time, Bill Gates suggests, to put all our good ideas into practice, from scenario planning to vaccine research to health worker training. As he says, there is no need to panic but we need to get going.

In the matter of a few weeks, the way that people work and play has been turned on its head due to COVID-19. Governments and businesses worldwide have been scrambling to react to the latest twists and turns of this crisis. Many have been caught flat-footed and ill-prepared. Given the nature of COVID-19, and the speed with which it has spread and the impact it is having globally, it is tempting to think about COVID-19 as a Black Swan event.

Blacks Swans

Nassim Nicholas Taleb popularised the concept of a Black Swan event in his highly acclaimed book, The Black Swan. Taleb characterised a Black Swan event using the following three criteria;

1. It is an outlier; it lies outside the realm of regular expectations because nothing in the past can convincingly point to its possibility.

2. It has an extreme impact

3. Despite its outlier status, we work hard to develop an explanation for the event, after the fact, making it explainable and ‘predictable’ (even though it was never previously predicted)

The temptation for Government, Business and other leaders to label COVID-19 as a Black Swan event is compelling.

By labelling it a Black Swan, they do not have to confront the uncomfortable question of; why were we not prepared for this?

By labelling it a black swan, we can brush away concerns that none of our risk management reports or dashboards mentioned pandemic. When voters, regulators, investors and other key stakeholders ask the uncomfortable questions; labelling COVID-19 a black swan event provides an easy answer.

This would be fine except for one very import thing; it is not a Black Swan event.

COVID-19 is no black swan

Simply stated, COVID-19 is not an outlier. It is within the realms of our regular expectations, and there are several similar events in the past.

• Spanish flu (1918, 1957 and 1968) was estimated to have infected 500 million people and resulted in 50 million deaths.

• Severe Acute Respiratory Syndrome (SARS) (2002-2004), a coronavirus, resulted in approximately 8000 cases reported with 774 deaths across 29 countries.

• Middle East respiratory syndrome (MERS) (2012 – 2013) aka Camel Flu, another coronavirus. Approximately 1360 cases reported and 527 deaths.

• Western African Ebola virus epidemic (2013–2016). 26, 646 reported cases and 11,323 deaths.

One could also add to this list the various outbreaks, many relatively localized, of bird flu and swine flu that have occurred regularly over the last 20 plus years.

Bill Gates also hightlighted the risk of a virus-driven global pandemic in 2015 via a Ted Talk he gave in light of the Western African Ebola virus epidemic.

COVID-19 can hardly be called a Black Swan and outside the realm of regular expectations when;

• Governments have included Pandemic on National Risk Registers. For example, the UK Government National Risk Register 2017 included the risk of a pandemic caused by the emergence of new infectious diseases was one of the key risks.

• Governments have ‘war-gamed’ a pandemic scenario; as the UK Government did on October 2016 and as the outgoing US administration did on January 2017.

So if COVID-19 is not a Black Swan, how should we categorise it?

Gray Rhinos

Rather than a Black Swan, perhaps we should categorise COVID-19 as a Gray Rhino. In the context of risk management, the concept of a Gray Rhino was introduced by Michele Wucker in her book; THE GRAY RHINO: How to Recognize and Act on the Obvious Dangers We Ignore. Wucker characterised a Gray Rhino as a highly probable, high impact yet neglected threat.

Could a global pandemic, such as COVID-19 be considered a highly probable event? Would such an event be high impact? Was this is a threat that was neglected? I think the answer to each of these questions is yes.

• Highly probable – as already stated, there have been several similar events as COVID-19, including SARS and MERS both of which are strains of coronavirus.

• High impact – again, the effect from similar previous events and the current crisis demonstrates the high impact nature of this event.

• Neglected threats – given the number of governments, particularly those in the ‘western’ world which had a global pandemic on their national risk registers or had ‘war-gamed’ this risk, and given the apparent lack of preparation done, it is clear global pandemic was a neglected threat.

While I have set out a series of steps that can be taken in response to the COVID-19 crisis here (insert link), below, I would like to set out some thoughts on how and where to include ‘Gray Rhinos’ risks within your Enterprise Risk Management framework.

Many business and risk leaders will naturally feel, in light of COVID-19, that Gray Rhinos type risks should be included in regular board and executive risk reporting packs. However, for many firms, this is probably not the right approach.

Regular Board and Executive risk reporting should focus on those risks directly related to delivering the firm’s strategy; including delivering specific objectives, maintaining the right level of capital and liquidity and protecting operational performance in their ‘normal’ operating conditions. At this moment, pandemic might be regarded as normal operating conditions however it is probably better to make use of an emerging risk report or dashboard to include highly probable, high impact risks.

Alternatively, (and my recommended approach) pandemic and other similar Gray Rhino type risks could be included in scenarios. For many firms, the use of scenarios within their Enterprise Risk Management framework is often limited to meeting regulatory obligations such as the ICAAP, ILAAP and SREP.

However, extending the use of scenarios and war-gaming to ‘stress’ your business strategy, business model and operational resilience in the face of Gray Rhino risks, can add significant value to firms. Four areas where incorporating scenarios into your Enterprise Risk Management framework adds values include;

1. Establishes a shared view and clarify around the firm’s operating environment and strategy. In particular, the critical success and risk factors of the firm’s strategy, and their relative importance on the firm.

2. Enable the firm to establish and maintain the right level of capital and liquidity under ‘normal’ business operating conditions, and quickly understand new levels when operating conditions change.

3. Enables robust challenge and stressing of underlying assumptions made around the firms business strategy, business model and operational model.

4. Finally, including scenarios within your Enterprise Risk Management framework helps create a ‘Risk-Based decision-making’ culture; a culture where risk, of all types, are key considerations within the decision-making process.

So COVID-19 is not a Black Swan event but it does add a new phase to the risk management lexion – Gray Rhino and as is often said, one should never waste a good crisis.

Once we have got through COVID-19, use this experience to strength your approach to risk management, and if I can leave you with two recommendations they would be;

1. Review your approach to risk management and ask do you have an enterprise approach that works, in good times and bad?

2. Consider the use of scenarios as part of your enterprise risk management approach but go beyond using these just to met regulatory obligations (as important as that is) and use them to generate actionable business insights and to build a Risk-Based culture.

This blog post was originally written by Andrew Smart and posted here