ERM and COVID-19

by Frank Strenk

“The real trick in life is to turn hindsight into foresight that reveals insight.”

      - Robin Sharma

There is no question that the COVID-19 pandemic has been a devastating occurrence from a medical, personal and financial standpoint. We really won’t know the full impact for quite a while. However, as a risk management professional I know we can learn a lot from all that is being done to cope with and mitigate the impact of the virus.

Be Prepared or Fall Behind

Some companies and organizations were in a better position to deal with the consequences of COVID-19 than others. For example, the companies that were prepared to have employees work from home hit the ground running. Other companies that weren’t prepared struggled to get systems in place, deal with HR issues and communicate re-assuring messages to clients. One thing that could have helped companies to be better prepared was to have a robust and interactive ERM process in place. During the many risk assessment engagements I have been involved with pandemic risk is identified as a potential exposure. This risk is typically measured as low likelihood but high severity on a risk heat map (falling in the upper-left corner).

In performing risk assessments companies typically focus on the upper right-hand quadrant of the risk map, high likelihood and high severity risks. I have always cautioned not to ignore those risks in the upper left-hand quadrant, low likelihood but high severity. We also need to be sure we fully understand the inherent, residual and desired risk levels of these exposures and that mitigation strategies are effectively implemented and monitored.

This all raises another question. Now that we have identified the risk and are implementing mitigation plans, are we sure we are on the right path to successful mitigation? This is where a strong risk committee comes into play. Risk committees are charged with reviewing organizational top risks and evaluating emerging exposures. In the case of COVID-19 for example, some companies were better prepared than others by anticipating and preparing for the virus once it broke in China.

A few questions to think about as you consider the value that your ERM program is having on your organization:
  • Do we have a process to identify emerging risks?
  • Do we monitor and audit our mitigation plans?
  • Do we hold our risk owners accountable?
  • Do we test our business continuity plans?

A robust and sustainable ERM program can help companies better anticipate exposures and as a result be better positioned to manage the impact of a catastrophic event. While we all know hindsight is 20/20 maybe we can learn from the COVID-19 event and be better prepared for the next catastrophe.