Risk management is proactive, peering around corners to identify uncertainties that may impact the organization's ability to achieve its objectives. Crisis management is reactive, marshaling resources to respond to a risk that has already manifested and requires immediate attention. Both require senior leadership engagement to be effective, but the roles and methods can be very different, and the chief risk officer (CRO) may be the best person to address both.
If CROs are typically focused on addressing how current exposures might impact future results, what is their role in the middle of a crisis, when a significant risk has already manifested? Many CROs have had to manage crises, but the current pandemic is pushing everyone into uncharted territory. The challenge (and opportunity) for CROs is to pursue actions that add value for their enterprises, both in the moment and for the long-term.
Immediate Crisis Management
Most organizations have established an all-hands-on-deck approach for their senior leadership teams to deal with the coronavirus outbreak, which is expected and appropriate. All aspects of organizational activity have been impacted, and all leaders have a role to play in dealing with the countless discrete challenges arising. But what should CRO’s focus be?
When leaders react in the moment there is often little time to assess the impact of decisions, and their actions to address the immediate crisis might create additional risks. Organizations do not have to wait for unintended consequences of well-intended decisions to manifest before addressing these kinds of collateral risks. CROs are skilled at anticipating these very kinds of outcomes. Having them intimately involved in these discussions provides a real-time forward-looking perspective on the known (or seemingly unknown) implications of these directives.
In some cases, the CRO’s insights might inform how the decisions are carried out, to ensure that the initial objective is accomplished in a manner that does not negatively impact some other part of the organization. In other scenarios, management may continue down the original path, but identify additional or alternative risk responses to decrease a vulnerability that may otherwise be created. Moreover, management’s ability to articulate the thoughtful, risk-informed process it followed in formulating its crisis response could also pay significant dividends in the future. Identifying risks up-front provides a record that may clarify real-time decisions to oversight or regulatory bodies in subsequent audits or investigations.
CROs bring a different lens to crisis management, advising leadership on the risk-based implications of the rapid decisions that must be made. CROs can help anticipate unintended consequences, proactively plan for them, and maintain a record for the future—all without distracting from the immediate demands on management for timely action in the midst of a crisis.
Actions to Address Immediate Crises:
- Demonstrate to senior leaders how a proactive risk-management lens can be an invaluable component to crisis response.
- Commit to assessing enterprise-level crisis response decisions for collateral consequences across all risk types, including reputational risk.
- Provide feedback to crisis response teams on potential risks their real-time decisions are creating, as well as potential mitigations that might limit these exposures.
- Proactively engage risk officers throughout the organization to monitor for emerging risks resulting from crisis response decisions. Provide a simple, standard mechanism to report emerging risks, as soon as they are identified, to the crisis response team.
- Lead the effort to document the crisis management team’s risk-based decisions, including the decisions themselves, a straightforward risk-based rationale, and the nature of any identified risks that are being accepted as a result. If feasible, place these decisions in the context of the organization’s risk appetite. A simple, standard form (stored in a central repository) can be used to enable easy access during future reviews by auditors, regulators, or inspectors general.
Longer-Term Crisis Management
CROs are also uniquely suited for dealing with a crisis such as the current pandemic by anticipating the risks to their organizations when the crisis ebbs and it is time to ramp up normal operations. The vast majority of the leadership team is almost exclusively focused on dealing with the current organizational stresses from a vantage point of a few days or weeks. But someone should be anticipating the challenges that may confront these enterprises when the “all clear” is given and the competitive pressures of the business world—or mission requirements in the public sector—are suddenly subject to circumstances they never previously encountered.
Risks will likely manifest across the whole organization, including operations, compliance, financial, human capital and even the very essence of the enterprise. Strategies may need adjustments based on new market realities, while internal operations and even organizational culture may require modifications to maintain consistency with the organization’s mission, vision and values. Each of these realities will introduce risks that were not evident just a few weeks ago.
In many respects, operations will likely not be back to normal immediately. Organizations will encounter all manner of obstacles in their effort to return to normalcy. To avoid another kind of crisis when resuming operations, someone should be analyzing these risk areas, anticipating likely scenarios, and developing risk responses that can be deployed in a proactive rather than reactive way. The organization’s CRO is perfectly suited for this responsibility.
Actions to Address Longer-Term Crises:
- Activate processes that are normally used for annual enterprise risk assessments, but focusing specifically on the risks associated with the return to normal business operations. As appropriate, differentiate between a partial return over an interim period and the final re-establishment of full business operations.
- Engage senior leaders to determine if the pandemic has fundamentally changed the organization’s mission, vision and values, its enterprise-level strategic objectives, or its risk appetite. Align risk identification and analyses to any updates to these overarching concepts.
- Provide guidance and standardized tools for risk officers to update the current enterprise risk profile, along with new entrants for consideration that are specific to the post-pandemic environment. Consider the full portfolio of risk types should be considered, including strategic, financial, operational, and compliance. Particular consideration should be given to workforce-related risks given the massive disruption to the workforce as a result of the current crisis, as well as reputational risks that may otherwise be missed without proactive assessment.
- Risk identification should include both top-down and bottom-up activities, with the CRO taking the lead to get input from senior leaders, while risk officers capture insights from across organizational business units. These efforts should be pre-planned and targeted to minimize disruption to current crisis response activities.
- Aggregate the input received, create/update risk statements, assess the risks for likelihood and impact to assist prioritization, and prepare potential risk responses for leadership consideration.
- As the nature of the pandemic evolves, this exercise should be ongoing and dynamic, perhaps including updates on a pre-defined cadence established by the CRO and senior leadership.
- Update the enterprise risk profile based on the preceding activities and provide the results to the organization’s senior risk governance board.
- Commit to working alongside business owners to provide advice on the effective implementation of risk responses as early as possible to reduce the likelihood of risk manifestation.