Firms who have implemented and embedded an integrated, enterprise approach to risk management will be best positioned for survival and growth at these uncertain times. Such an approach should include;
A holistic enterprise risk management approach will set the context for your COVID-19 response and recovery.
To effectively respond to COVID-19, firms should quickly review and update any existing response plans (often referred to as a business continuity plan, incident management plan, or crisis management plan) to take into account the specific details of COVID-19.
We would recommend that your COVID-19 plan should be made up of a series of ‘crisis levels’ so that your response can quickly evolve as the nature of this pandemic evolves and changes. For example, for COVID-19, your crisis levels could include;
Level 1 – Minor disruption to business activities
Level 2 – Major disruption of business activities
Level 3 – Partial cessation of business activities
Level 4 – Complete cessation of business activities
Level 5 – Firm Recovery or Resolution
At each level, we would recommend you include in your response plans the following eight critical components.
Building on your existing enterprise risk assessment process and methodology, undertake a Business Impact Assessment to ensure that the impact of COVID-19 is fully considered, well defined and to identify potential gaps that currently exist.
The Business Impact Assessment should be used to create a shared understanding of the crisis across your business; the board and executive should be heavily involved in conducting the BIA and results should be shared within the firm, as widely as possible. Of course, with appropriate consideration given to protecting sensitive information that will be in BIA.
Determine how to stabilise your financial position to ensure you can survive the crisis in the short term, minimise damage to the business in the medium term and position the firm for growth in the long-term.
Quickly getting clarify on your cash, capital, liquidity and profitability over each of these time horizons is the key to successfully responding to COVID-19.
Determine a set of very clear objectives for each stage of the crisis and be clear about accountabilities per objective. In the early stages of a crisis, it is reasonable to maintain your focus on pre-crisis objectives mostly; however, as the crisis evolves and deepens this may change. As your firm moves through the various levels of a crisis; the number of objectives should be reduced to create focus, minimise distractions and ensure effective deployment of resources. You should get to a point where the board and executive are focused on a small number of well-defined objectives, with clear accountabilities and a clear understanding of the ‘roadmap’ which signal where the focus will move to, should the crisis go to the next level. Of course, this roadmap must also signal when and how we recover the business and move to (a new) normal operating environment.
As the COVID-19 crisis evolves, your definition of what is critical to your business will change. Therefore, it is important to define, for each crisis level, clear, immediate objectives and a set of essential activities (processes and initiatives), systems and assets to be protected and managed.
For your firm to successfully get through COVID-19, and to be positioned for rapid recovery, your brand, your people and your information assets are going to be particularly important. Therefore, particular care must be given to managing these through the crisis.
If your firm has implemented the CIA triad (confidentiality, integrity, and availability) for information assets, use this prioritise and re-prioritise as the level of crisis changes.
Review your process architecture and portfolio of change initiatives to determine what is the earliest point when individual processes and initiatives can be shut down and restarted.
If your firm uses the ‘big three’ business continuity indicators; Recovery Time Objective, Recovery Point Objective and Maximum Tolerable Period of Disruption, these should inform decision-making as the crisis evolves.
In any crisis, particularly one of the size and scope of the COVID-19, firms must continue to undertake their risk management activities. As per other critical activities, the level and nature of risk management activities undertaken during a crisis should reflect the crisis level which your firm is operating at. Given the nature of COVID-19, Financial, People, 3rd Party and Counterparty risk will be particularly important.
In addition to managing business-as-usual risk activities, a crisis such as COVID-19, will, without doubt, lead to gaps in the firm’s enterprise risk management framework and processes surfacing.
New risks that are directly related to the crisis will need to be managed as per existing risk management processes. Whether these risks become part of the business-as-usual risk management framework, is a decision for post-crisis.
The old mantra of ‘can’t manage what you don’t measure’ applies during the COVID-19 crisis; however, what you measure should change in three distinctive ways.
To reduce your people’s workloads, and to create focus, reduce the amount of measurement in line with decisions around the firm’s objectives, risks, and critical activities, systems and assets.
Use measurement, along with updated risk and business impact assessments, to trigger changes in your response to the crisis. With COVID-19, there are good data sets available which can be included within your decision-making processes. This includes external data sets such as inflection rates, inflection growth rates, death rates. Additionally, national and local governments are communicating actions that the population must take, which will be vital in your respond decision-making.
Add a new, limited set of metrics to track how well your firm is responding and aligned these measures to your (new) prioritises. Change these metrics as your firm moves to different crisis levels.
The response to COVID-19 will be driven by a series of very specific, short-term (hopefully) response plans and tasks with clear accountabilities that need to be executed as quickly and effectively as possible. If your firm creates a specific COVID-19 crisis management team or manages through existing management structures, having clear visibility to the status of your response plans and associated actions will be vital. Response plans should signal what will need to be done next at each step, which of course can and probably will change rapidly and often.
Finally, no document about responding to COVID-19 would be complete with mentioning communication. The way that your senior leaders and the firm as a whole communicate to your firms’ stakeholders, both internal and external stakeholders will be vital in navigating this crisis and positioning your firm for recovery and post-crisis growth.