Risk Management

COVID-19: A Steep Learning Curve in Risk Management for Many Boards and CEOs

As a result of the rapid, unimaginable spread of COVID-19, the business world has had to stare into the most yawing risk abyss in generations.

Unparalleled economic, societal, and financial impacts are shaking every aspect of our lives to their very core.

Across the business sector, the effects of COVID-19 are revealing the extent to which organisations have under-invested in essential risk management skills practices. Their stockholders, suppliers, customers, and employees will suffer from this myopia, possibly for generations to come.

So, why have so many organisations failed to take risk management seriously? Why doesn’t risk management play a larger role in shaping more resilient organisations – both operationally and financially?  To what extend has this crisis highlighted weaknesses in the governance of organisations?

Risk management has not usually earned a place as an agenda item or been allocated much time in board meetings at many.

Mundane risk management matters are often tucked away at the back of an operations or finance report. Risk management papers are included as an add-on to an audit committee agenda or a combined audit and risk committee, at best.  In addition, the pivotal role of a Chief Risk Officer is often uncommon outside large organisations.

The position is even worse at smaller organisations. Often, risk managers sit in a divisional function and are usually seen as administrative or compliance people. They are tasked with overseeing and reporting on a range of important yet disparate issues such as workplace health and safety, physical security, or regulatory and compliance matters. More often than not, risk management is kept in the backroom.

Debt levels at many companies have increased following mergers and acquisitions. Businesses were acquired or grown outside home markets with little apparent regard to geopolitical or supply chain risks. Capital structures were ‘optimised’ with debt-funded buybacks and capital returns. And finally, many organisations have been found to have little spare cash or liquidity to see them through even a short period of business disruption. As an example, US airlines reportedly used 96% of free cash flow on stock buyback over the past decade.

Whist the intervention of governments and central banks will ease some pressures it will only paper over the cracks.  As we saw leading into and during the Global Financial Crisis, it now appears that many organisations have pushed the risk envelope too far.

Related Article: Enterprise Risk Management (ERM) and the Board: What You Need to Know

New visibility for risk management

There is some good news. As the COVID-19 pandemic crisis unfolds, the value, to organisations and shareholders, of implementing a more comprehensive approach to risk management is becoming more apparent. In savvy businesses, impacts of the pandemic have given risk managers – where they exist – new visibility. Using their deep knowledge of an organisation’s DNA, risk managers are ideally placed to play critical roles in assisting with business continuity and reshaping operations.  Those with true foresight have also been better placed to activate business continuity plans. They have been able to support their staff to work from home seamlessly and have reorganised supply chains.

The organisations that have made this investment tend to be clustered in industries with a long history of managing risks, such as banking, insurance or mining, or have a regulatory requirement to do so.  They have implemented well thought out governance and risk management frameworks, that have been refined over time.

BHP, the world’s largest mining company by market capitalisation, is a model of what ‘good’ looks like.  BHP is exposed to a wide range of financial and operational risks. These include production stoppages, changes in demand for its commodities and volatility in commodity prices. In its 2019 annual report, BHP stated that it carried out a robust assessment of its principal risks, including those risks that would threaten the business model, future performance, solvency or liquidity. BHP considers detailed, downside scenarios that include no new borrowings for three years.

Similarly, the boards and CEOs who remembered the lessons of the Global Financial Crisis have been able to effortlessly tap liquidity and cash reserves, built up for an event just like COVID-19.

At large, well-funded and resourced corporations, risk management takes on many different forms.  But even the best risk management team in the most resourced, forward-thinking company will have been challenged to have predicted a scenario that involved such global economic and social disruption. Yet, the bottom line is, that is not an excuse for not investing in improving risk management.

Related Article: The Importance of Having a Business Continuity Plan

Into the future

To build more resilient organisations, Boards and executives will need to critically review how they discuss, assess, and manage risks. They will need to define the organisation’s governance of risk management in more granular detail, further build out risk management infrastructure and recruit experienced risk managers.

The management of risk will be embraced as an integral activity in all strategic planning, decision making, and business oversight, as demonstrated by the likes of BHP.

This will need to be a top-down initiative to ensure that it is embedded and enduring.  Chief Risk Officers will need to be appointed, with the authority and resourcing to implement real and sustainable change.

Boards and executive teams will also need to allocate more of their time for scenario planning, stress testing and a more fulsome discussion of emerging risks. Organisations will need to institutionalise horizon scanning for potentially adverse business outcomes from known, emerging and unknown risks.

Much of the source material already exists.  Academic, governmental, and business publications produce regular reports that identify and describe a range of economic, geopolitical, social, and environmental risks. The World Economic Forum publishes one such list each year, in the lead up to its annual forum in Davos, Switzerland. These reports have periodically pointed to pandemics as key risks. Unfortunately, pandemics always move up the rankings after events, such as SARS and H1N1, then down the rankings as the memory fades.

Related Article: Risk Oversight and the Board of Directors

Boards and executives should leverage from internal and external expertise and devote far more time to a strategic analysis of business risks. Formal, structured risk management reviews should accompany any proposal being taken to a board for discussion or approval.

It is not too late for business leaders to start building the resilient organisation of the future. For those who survive the pandemic, they can rebuild stronger businesses.

A rethink of governance, more conversations about risk management around the board table, and ongoing investment in risk management will assist organizations to get through what will, no doubt, be other external shocks in the future. Hopefully, these are not of the magnitude that we have seen in 2020.

Let’s not squander our learnings from the COVID crisis. At the very least, one of the lasting legacies from this unfortunate episode should be the building of more resilient, better prepared, and more sustainable businesses.

Case Study: How TransGrid manages risk in a highly complex and regulated industry

Most Downloaded Whitepapers

Featured Blog