Traditional risk management thinking is inadequate for the current Covid-19 crisis, and indeed future crises that may inevitably follow.
For years businesses have concentrated on identifying generic risk, which excludes cross-disciplinary risk or multiple interconnected risks.
Business leaders have leant on historical data as an indicator of the size and probability of a possible event, however they now face a combination of diverse risks which are of a magnitude not seen before. Global warming, pandemics such as Covid-19, and so on.
Historically, the focus for business has been on quantifying risk, but not on the integrated behaviour of risk. The influence of Enterprise Risk Management (ERM) proposed by the Committee of Sponsoring Organisations of the Tread- way Commission (COSO) has meant that we focus on making sure our businesses can demonstrate:
• Governance and culture
• Strategy and objective setting
• Review and revision
• Information, communication and reporting
However, this approach has distracted business leaders from a more comprehensive and resilient attitude to the identification of risks.
From the 20 principles that COSO propose, only four are important to understand risk identification:
• The identification of risk
• Prioritization of severity
• Implementation of risk response
• Developing a portfolio view
WHERE ARE BUSINESSES GOING WRONG?
Business leaders may identify the top 10 risks in terms of size; ignoring the potential of other initially low probability risks whose impact changes from week to week, such as Covid-19. Consequently, these lesser priority risks – based on historical size – may have an interconnected behaviour which could result in a catastrophic outcome.
Leaders should not only focus on the number, size or probability but also on the thorough identification of multiple areas of uncertainty, hazards and risk.
THE 5 AREAS OF RISK THAT SHOULD BE IDENTIFIED
Drawing on our extensive research, we believe that business leaders should consider looking at their operations from five dimensions:
• Generic Risk – the current method of generic silo identification e.g. health and safety, environment, legal etc.
• Interface Risk – risks that occur at the interface of processes or operations.
• Causation Risk – commonly called a chain of causation or cascade where one risk triggers another.
• Accumulation Risk – where several disparate risks occur within a very short period of time.
• Emerging Risk – truly new risks not just previously identified risk types which occur in new areas.
As seen through the current Covid-19 pandemic, our businesses need to adapt and become agile in their approach to risk, focussing on different risk factors as they change week to week, e.g. supply chain risk and customer demand risk. They need to develop a team that can identify these types of risks earlier in the risk management activity.
Firms that don’t take risk identification seriously, may face challenges or even ultimately liquidation due to poor risk identification processes.
The five dimensions above reflect the complexity of the ‘real world’ and facilitates a cross disciplinary approach to the holistic identification of all risks which is auditable. Business leaders who embrace risk identification from the start will be able to provide a more comprehensive understanding of their firm’s risk portfolio and better prepare themselves and their businesses for a climate of uncertainty in the future.