Before COVID-19, few organizations would have considered prioritizing the remote risk of a pandemic over more common events. However, as the past year has demonstrated, dismissing such scenarios entirely is no longer a viable strategy.
The COVID-19 pandemic has been called a “low-probability, high-impact risk” that no one could have predicted. This is simply untrue. In fact, since the World Economic Forum (WEF) started releasing its Global Risks Perception Survey in 2007, the risk of a pandemic and/or rise in chronic or infectious diseases has often been featured in the top five risks in terms of likelihood and/or impact. Even in the 2020 report, while the possibility of a pandemic did not make the list of top risks, special mention was made of the threat. It found that no country’s health care system was fully prepared to handle an epidemic or pandemic, and that progress against pandemics was also being undermined by vaccine hesitancy, which could pose serious risks for organizations in future.
The risk of a pandemic also has ample precedent. In recent years, the world has seen a number of “near misses” from the likes of bird flu, swine flu, SARS and MERS. Such warnings were largely ignored, however, because the spread of those viruses was ultimately contained, infection and death rates were low, and they did not adversely impact major western markets like the United States and Europe.
In the past 20 years alone, there have been at least three major “once-in-a-lifetime” global shocks: the 9/11 attacks, the 2008 financial crisis and now the pandemic. Each caused or will cause years of economic disruption and required lengthy periods of recovery. The point is simple: Low-probability, high-impact events occur more frequently than many people realize or care to admit. Additionally, these events have a massive impact on almost every aspect of the business. So what can risk professionals do to better address these threats?
The Gaps in Business Continuity Planning
Typically, business continuity planning and resilience testing are the two key defenses that organizations rely on to maintain operational capability when disaster strikes. However, in many organizations, such planning has usually revolved around issues that management could reasonably expect to deal with at some point in the near future. COVID-19 was not one of those.
“If you live in an area that suffers from earthquakes or hurricanes, for example, then naturally your business continuity plans will take such situations into account,” said Jim Zeches, senior GRC consultant at cybersecurity risk management firm IT Governance USA. “What the COVID-19 pandemic has done is make many organizations firefight situations they believed would never take place, and it’s obvious how little many have planned for such eventualities.”
Modeling risk scenarios on historical data and averages has also proved to be an unreliable way of preparing for catastrophic events. According to Jim DeLoach, managing director at risk consulting firm Protiviti, many organizations have been “hamstrung” by their over-reliance on analyzing historical risk data to help prepare for future crises.
“During the 2008 financial crisis, even when it became obvious to analysts and investors that the losses were so bad that some firms would fail, banks and other financial services firms resolutely believed that the mortgage market would survive because it had endured without incident for 125 years,” DeLoach said. “Instead of looking at the situation unfolding in front of them—and reacting to it—a lot of firms didn’t move because they thought that, since the market had never collapsed before, it was not possible for it to do so now. But looking back doesn’t tell you what might be ahead. So-called ‘once-in-a-lifetime’ events can happen. Organizations need to accept that and make resilience a priority.”
Assessing Potential Risk Exposure
To get a better idea of how to prepare for low-probability, high-impact risks, risk professionals can perform a number of useful exercises. One of the most obvious, DeLoach said, is to conduct horizon-scanning exercises to see what could happen in the future. They will then need to assess the impact of such risks, which includes conducting a review of where there might be any operational weak links.
“Any signs that the business is overly dependent on a couple of individuals or organizations for any aspect of its operations should be flagged as a potential risk for management to consider,” he said. “For example, is there a single point of failure anywhere in the organization? Is the business heavily reliant on a key individual or a particular supplier or customer? Would the business survive if a key market was cut off? Does one product or service account for over half of the company’s revenues? Asking these kinds of questions should highlight areas that need further review and management action.”
Risk professionals should avoid being too specific about the type of event they plan to respond to and prepare for. “You don’t need to second-guess what the event will be that will trigger the impacts that you think will be the most severe to the business,” DeLoach said. “The board is not going to listen to you if you try to plan for specific but remote, niche scenarios, such as the possibility of asteroids hitting the earth. Boards want assurance—not guesswork.”
Instead, he said, “It is more useful for risk management to focus on how the business could be affected by a high-impact event and where the most vulnerable areas of the organization are, rather than guess what the event might be—such as supply chain disruption, loss of customer base, operational shutdown, and so on—and work out what resources, processes, plans and level of resilience capability the organization will need to cope with a major disruptive event. Risk managers then need to build a business case about what steps the organization should take to improve its resilience and agility.”
To determine their level of risk exposure, organizations need to understand what their critical assets are and calculate how much money the company would lose if those operational areas suffered any amount of downtime. Once they have established the scale of any losses, risk professionals then need to work out how to make these areas or processes more resilient. “Companies need to know how they can keep operating if disaster strikes,” said Andrew Beckett, managing director for cyberrisk at risk consultancy Kroll. “They need to identify the key areas that must be protected or that can be replicated elsewhere, if necessary, to ensure business continuity.”
For example, he said, “If a manufacturer produces different parts in several locations, which plants could continue production if one or more of its factories were forced to shut down for days, weeks or months? Which factories could fill the gap in the meantime? How would components be shipped and assembled if parts of the supply chain collapsed? Similarly, if a data center is forced to close, can an organization switch to another one quickly and seamlessly? Will customers be affected? Are there contractual or regulatory obligations that might be affected and, if so, what could the costs be to the business?”
Camilla Winlo, director of consultancy at data risk management firm DQM GRC, believes that the key to future resilience is to question whether existing resources can be deployed more effectively. “No business can treat every risk facing them, and risk management is often about making difficult decisions on which risks the business must simply accept and live with,” she said. “Low-probability, high-impact scenarios often fall into this category—but while you can hope that they never crystallize, if they do, it will be an emergency. This can lead to businesses doing less than they should when considering them.”
Because it is impractical to implement a strategy targeted specifically at a single low-probability, high-impact scenario, Winlo said organizations should instead consider defending against risks that have similar effects. This means looking at the organization’s critical success factors and processes and considering how management can respond if the business gets disrupted.
“You do not need to imagine a pandemic specifically to consider whether your business model is overly dependent on sales through a particular channel and to think about how you might diversify,” she said. “By considering the disruption caused by risks rather than the high-impact events themselves, risk managers increase the likelihood for leadership engagement.”
It is also helpful to consider what the organization would need to be able to respond with greater agility. “Key questions to ask include: Would your key people be up to that kind of challenge? Does the organization have the right communications channels in place? Where would your funds and resources come from to manage the crisis? What bottlenecks would emerge? What factors would play in your favor?” she said.
In addition, companies should look for the “upside” of such risks and consider how they might position the business to succeed when gradual changes become steep and sudden. These kinds of conversations “should sit much more comfortably alongside the kinds of strategic planning discussions management teams enjoy,” Winlo said.
Gaining Management Support
Getting management buy-in is crucial to reviewing—and potentially revising—any crisis management response to a high-impact event. When presenting to the board, risk professionals need to explicitly tell directors why they should care: Failure to act will cost money, damage the company’s reputation and affect market share. “They need to put the ‘so what’ right under the nose of the board if management is to take risk managers seriously,” said Debbie Bowen-Heaton, partner at management consultancy Oliver Wight.
Risk professionals can take a number of practical steps to get the attention of senior management and the board. First, risk management should put in place a “risk radar” that assesses the probability and impact of risk, Bowen-Heaton said. This should then be reviewed regularly by management as part of their leadership team meetings with the objective of proactively building contingency plans for high-impact risks. From there, risk management should implement a process to communicate executive decisions and responses to the rest of the business. Finally, risk professionals should continuously monitor the actual impact of risks as they materialize, as well as the deployment of risk management plans, so that the business responds swiftly and effectively.
Other experts agree that explicitly spelling out what the costs of a low-probability, high-impact event (or a series of them coming together, as has happened with COVID-19) is key to gaining the board’s attention. But it is also essential that risk professionals produce figures that executives can understand, rather than relying on vague terms, such as “reputation damage.”
“Telling the board that the company could be hit by reputational damage and legal and regulatory penalties doesn’t mean a lot unless you can provide some sort of rough figures,” said Alex Toews, risk solutions manager at software vendor Fusion Risk Management. “If you want to prove your case, think in dollar terms and cite known examples.”
To get executives on board, Toews suggested a two-pronged approach: Risk professionals should have the necessary data or evidence at hand to show the scale, costs and damage of the potential disruption, and they should try to align with other assurance functions like internal audit, compliance, legal and IT to speak with a “unified voice” to convey the strongest possible message and effectively lobby for management action to improve resilience and responsiveness.
“Risk managers often make the error of presenting a load of risks without quantifying the data behind them,” Toews said. “Explain what the data is and what it means to the business in cost terms. Tell management how the risk information provides credence that there could be a serious problem if steps are not taken now to prepare for it. Show them where the vulnerabilities are, what the short- and long-term damage and disruption to the business could be, what the financial impact could be in dollar terms, and how these weaknesses can be mitigated.”
Toews added that it is important for assurance functions to work more closely together and to deliver recommendations based on a singular, unified view. He also recommended that these functions collaborate to provide more integrated assurance. This will help promote a more informed risk culture within the organization where everyone understands what risk management means and what part they can play in implementing changes to make the business more resilient. “If risk management joins forces with other assurance functions to deliver the same message, it has a much better chance of being listened to,” he said.
Risk professionals should also look at quantifying qualitative data. For instance, Toews said, can the company be forced to pay contractors under a clawback clause if a power outage, flood or forced closure prevents it from completing an order? What would the financial costs to the business be if the company was forced to outsource operations to another provider to fulfill contractual obligations? Could the company be hit with multimillion-dollar fines if customer data is hacked as part of a cyberattack? What percentage of customers would likely use a competitor’s services if the company fails to deliver, and how many would choose to stay away long-term? Have any of these scenarios happened to other companies? If so, how badly were they impacted? What were the costs? How did they bounce back? “Showing management and executives that you have thought through the implications of these kinds of scenarios will help get them on board,” he said.
More Than “Once-in-a-Lifetime”
“There is no doubt that risk managers need to reevaluate their assessment of catastrophic—yet palpable—risks,” Toews said. “Scenarios that previously would have seemed outlandish are taking place more frequently than organizations are giving them credit for.”
Risk professionals can no longer afford to dismiss these threats as sheer fantasy or ignore their impacts and their ability to affect other high-priority organizational risks. By adopting a broader perspective on risk assessment and opening up the discussion with executives, risk professionals can improve organizational resilience and risk preparedness, no matter the scenario.