“Not another Covid-19 article”, I can imagine you all thinking to yourself. This article isn’t intended to be an assessment of risk management performance associated with the current global coronavirus pandemic, but it is hoped that the ideas discussed provide some food for thought for organisations, and individuals, as business continues to recover.
The question is: How can we apply learning, in the context of risk management, to make us all more resilient in the future?
1 – We Can’t Predict Everything…
…but we can pay attention to the risks that have been identified and plan for them accordingly. It has been widely reported that both the UK National Security Risk Assessment (NSRA) and the Global Preparedness Monitoring Board had issued stark warnings that a global pandemic was highly likely. In response to the threat identified in the NSRA, the UK Influenza Pandemic Preparedness Strategy was published in 2011. This was, evidently, a credible risk that required a fully developed management strategy, yet the question remains whether the proposed mitigating measures were developed as thoroughly as they could have been. Perhaps there was a feeling that this wouldn’t actually happen.
We can’t always control the likelihood of all risks, but we can control our response to them. Which risk handling strategy is adopted should be a decision of careful consideration; as a minimum, we should understand:
- Our organisational risk capacity and appetite for risk[1];
- The potential impact as fully as we can;
- Mitigating options and their cost of implementation.
There are many more considerations but with the above knowledge an organisation can understand whether it can tolerate the risk, should it occur, and a cost benefit analysis can be carried out to understand whether the cost of doing something is greater than the cost of accepting the risk (i.e. doing nothing). As a minimum, I would always encourage Risk Owners to have fallback plans worked up.
- Monitor (and respond to) Trends in Key Risk Indicators
Each risk has a timeframe; for project risks this may be quite short in duration whereas at organisational, national or global level the types of risk faced may have a lifespan of multiple years. In this scenario, it’s common for risks to become stale; it’s my view that as we become used to seeing certain risks on a risk register, we can become almost ‘blind’ to them. In some cases, it could even be described as complacency. When risks are first identified there is a lot of attention given to assessing, developing and implementing response plans; oftentimes, the same level of attention is not given to risks that have been ‘identified’ for a long time.
The learning here is that we must pay attention to the changing context in which we do business and respond appropriately rather than become complacent about risks that we have long identified. It is important that organisations regularly perform horizon scans, and monitor and re-assess the risks that they face. Developing Key Risk Indicators, including both leading and lagging indicators, can be particularly powerful in assisting an organisation to identify trends in the risks that they face so that they can respond accordingly.
In the case of Covid-19, the publication of ‘A World at Risk’ by the Global Preparedness Monitoring Board in September 2019 urged the world to prepare for a global pandemic and provided a 7-point plan for preparedness. This should have been a trigger for a review of our preparations for this risk. Even as we began to see the crippling effect on China, it has been debated whether the rest of the world took too long to respond. The risk was clearly trending upward, but did organisations respond quickly enough to that information?
3 – The Power of Networks
We have a tendency to consider and assess risks on an individual basis, but we must recognise that the interaction of risks with each other, and the resultant cumulative impact, can be of far greater significance than that of the discrete risks themselves.
It’s extremely common to see projects, business units, even entire organisations operating in silos, as though they are independent from any external influence. We live, and conduct business, in a time when our world has never been more interconnected. We must comprehend the entirety of the environment in which an organisation exists and operates; from the global and national context, throughout the organisation and all the way down through the supply chain. We need to keep our eye on sector, national and global risks as well as those stemming from throughout our supply chain; and we should be cognisant of the network we create as a result of the relationships we have with external parties.
The impact of Covid-19 is the perfect example of the ripple effect that can occur through the value chain – from top down and from bottom up; in the Aviation sector, for example, there is the significant impact from top down being the travel restrictions imposed at global and national level resulting in a significant reduction in passengers and, subsequently, revenue. At the same time, many airports are seeking to take advantage of quieter operations to advance infrastructure development, with many now facing risks and issues regarding supply chain availability and productivity. These external factors must be well-thought-out as part of the risk management considerations of any organisation.
As a starting point, we should consider the interaction between projects and programmes within the same portfolio. From there, we need to expand our thinking. How can other business operations affect our objectives? How can external parties affect our organisational or project objectives? Mapping out and understanding our value chain will bring these relationships and interactions to the fore.
4 – Put Theory into Practice
Thinking particularly about Business Continuity Management, there is typically a lack of testing which should be undertaken continually to re-validate the effectiveness of any Business Continuity Plans (BCPs) as the environment changes around us. As discussed earlier, we often talk about staleness of risks and their assessments but focus even less on the staleness of fallback / contingent plans.
One scenario that comes to mind is the potential for an organisation to have well-documented Business Continuity Plans but a failure to test them sufficiently e.g. only under hypothetical scenarios that you may consider to be a controlled environment. When they are enacted for real you may be surprised to find fundamental flaws in your plans; even such simple things as storing your BCPs electronically: one scenario enactment may require you to test how you respond should the grid go down unexpectedly and power to the Head Office be lost. Would you have access to your BCPs if they are created and stored electronically? If your BCPs are inaccessible, attempts to recover may be futile.
The importance of risk management is being highlighted on a wider scale than at any other time in recent history. Risk management, applied well, can deliver the resilience that businesses will need in order to recover from this crisis. From crisis management to business continuity and scenario planning, risk management can provide the coordinated enterprise-wide response that is needed in order to emerge from the pandemic stronger than competitors and take lessons for how future challenges will be averted or addressed.
[1] Look out for our upcoming article on this topic
