This article is in collaboration with Trinity’s global partner, B. Riley (written by Corey Gooch and John Bugalla).

Introduction

Now that the recovery from COVID-19 has moved into high gear, leadership teams be re-evaluating their strategies as they are operating in a world filled with volatility, uncertainty, complexity, and ambiguity. Part of the recovery strategy should include a re-examination or implementation of an Enterprise Risk management (ERM) program.

Background

ERM emerged almost two decades ago as a best practice alternative to the traditional approach to risk management – sometimes referred to as managing individual risks in stand-alone insurance programs or in functional business siloes. Traditional risk programs are useful. However, they are only one tool when it comes to managing the risk that will affect the ability of the company to protect its future or to achieve its strategic plan.

Most larger organizations, both the privately held and publicly traded, now have some form of ERM program. This trend is now moving to mid-size and family-owned businesses, as the traditional risk management tools do not always respond to the business needs. The biggest example is occurring now, where property and business interruption insurance programs provided virtually no coverage from the COVID-19 pandemic. While they were never intended to cover this type of non-physical damage risk, it was a big surprise to many organizations.

ERM takes a different approach to risk that answers the fundamental questions: “what strategic risks and uncertainties do we face as we strive to achieve our strategic plan?” and “does our risk assessment process give our leadership team both accurate visibility into strategic risks we face and sufficient value decision-making and management tool?”. Typically, an ERM program includes an organizational-wide risk assessment and prioritization process where the risk data is compiled into a “Risk Register” and/or a “Risk Map” was created. The different risks were assigned to various “risk owners” and they are responsible for on-going monitoring or mitigation efforts and then reporting the progress to executive management and the board of directors.

Some benefits companies receive by implementing ERM include:

  • Reduced operational disruptions;
  • Improved cost of borrowing;
  • Reduced earnings volatility and increased cash flow; and,
  • Enhanced corporate governance with key stakeholders.

Why should organizations consider updating or implementing ERM now? One result of the pandemic is that the strategic and operating landscape for organizations worldwide and entire industry sectors is currently in an accelerated transitional phase that will change forever how they manage risks with complex interdependencies. This includes everything from supply chains to talent management and information security. Looking back at how risks were being managed on the ground level is always going to be 20/20. In order to survive and grow, a new approach to risk is needed. The key for executives is to make sure that risks are being managed with a cockpit view and not a rearview mirror.

Actions to be Taken

As mentioned above, the advent of COVID-19 and the dramatic changes to the operating environment over the last two years requires action from executives to re-examine and re-evaluate the fundamental decision-making within their risk management program. In order to be prepared to resume and recover operations in the new normal, a few critical steps than can be taken now include:

Step 1. Re-examine risk registers and reassess all risks.

Almost every organization had some view of their own risk universe before the pandemic, but COVID-19 has impacted work forces who were working remotely and were shuttered in place. Supply chains at every level were stress tested. New risks have emerged. The previously assessed financial risks should be re-evaluated based on the very real and now measurable costs associated with the current operating environment. When conducting risk identification and assessment process, side by side comparisons should clearly illustrate the differences between those identified risks prior to COVID-19 and after the pandemic.

Step 2. Consider risk mitigation alternatives.

After the reassessment is completed there may be a need to consider additional mitigation strategies if the assessment indicates that any given risk is above desired risk appetite levels. If there are any key risks that are above desired risk appetites, deep dives should be conducted to gain both greater insights about the risk and actions that may be considered to reduce or eliminate the risk. In some cases, the cost of risk mitigation is greater than the benefits of mitigation. Risk owners should clearly understand that the risk has been accepted and a budget for its acceptance may have to be created. Emerging risks that are known but not yet quantifiable should be on the new risk register and assigned to a risk owner in order to keep executive management and the board up to date on changing conditions.

Step 3. Re-examine business continuity plans.

Most organizations also have a crisis management plan, but how many have tested its effectiveness in advance of a global pandemic scenario? As we have seen, a pandemic did not represent a traditional business continuity risk. It challenged the way many organizations respond to risk. Physical assets (factories and systems) were available for use, but the employees, suppliers and customers were affected and not available. There was also the added pressure to the bottom line as traditional insurance coverages did not respond to business interruption in the case of a pandemic. Traditional business continuity plans address the most obvious physical threats but do not consider the intangibles such as the reliance on key workers and access to operating systems that might not be available, or without customer demand. However, an integrated approach to business continuity…one that is event agnostic…is key when responding to a threat. It is necessary to reduce complexity and maintain continuity of operations across an organization at a time when resources will be diminished.

Step 4. Communication is critical.

Management of information flow is a key challenge. Staff and customers are seeking information and reassurance at a time when messages transmitted by the media may be piecemeal, skewed in nature, and potentially melodramatic. Two-plus years on, we are just starting to see the restrictions on movement of people being lifted. And now there are conflicting messages provided by public authorities regarding the potential of a global recession. As a result, executive and senior management must play a key part of managing the workforce’s anxieties and concerns by maintaining an effective organizational response. Additionally, the potential reputational consequences of not having an effective crisis communication plan in place could be devastating.

Step 5. Plan for resumption and resiliency now.

Organizations need to fully recognize how the risks to their operations have changed from the pandemic and develop a resiliency plan before it is too late. Business resumption plans do not need to be just written down. They also need to be tested if they are to have the desired results following any event. Without considering the effect on key customers, suppliers, as well as the employees, there is no ensuring the ultimate post-crisis survival of the business.

Conclusion

COVID-19 was not an unknown risk. It has been listed on the annual Global Risk Report from the World Economic Forum for over 15 years. New decision-making will be required as organizations continue to recover and operate in a world where disruption is the new normal. Those decisions should be based on up-to-date information about their risks and opportunities. Companies need to develop their plan of action now. If risk management recommendations are seriously considered, the negative unexpected consequences from future risks could potentially be reduced or better managed.

Warren Buffet once quipped: “It’s only when the tied goes out that you learn who’s been swimming naked”. In a world where constant volatility is quickly draining financial and human capital resources, many executives will discover if their risk management program is just compliance driven or if they need an Enterprise Risk Management program to create value to support achieving their strategic plan.

Corey Gooch is Managing Director of Enterprise Risk Management at B. Riley Advisory Services based in Los Angeles, CA. John Bugalla is Managing Principal of Enterprise Risk Management at B. Riley Advisory Services based in Indio, CA.

Trinity and B. Riley can help you and your organization be prepared when the unexpected happens. Inquire now through this link: https://trinity-insures.com/collections/service-solutions/products/risk-management-and-loss-prevention