For the past year, public companies with mature enterprise risk management programs have found that their ERM framework paid off during the pandemic. A strong ERM program helped them better understand COVID-19’s potential impact on revenue and operations. By using ERM to help correlate perceived risks with appropriate mitigation measures, these companies were then able to formulate plans to manage pandemic threats and moderate negative impacts.
“What COVID-19 taught us is that the pace of change is accelerating,” said Tom Easthope, senior enterprise manager on the ERM team at Microsoft. “Volatility is increasing, requiring a strong risk management culture of adaptability to survive and prosper.”
Here, four risk management leaders share their perspectives on how their organizations’ ERM program provided a firmer grasp on a slippery and fast-moving crisis. As Melanie Steiner, former chief risk officer of PVH Corporation, summed it up, “If ever there was a strong business case for ERM, this was it.”
A Three-Phase Process
PVH Corporation is a large American clothing company whose fashion brands include Tommy Hilfiger, Calvin Klein and IZOD. For the first six months of the pandemic, Steiner was responsible for overseeing the company’s ERM program and related crisis management policies and practices.
“Like it was for other ERM leaders, COVID-19 was probably the largest risk event any of us had ever seen in our corporate lifetimes,” said Steiner, who is now a board member at environmental services company US Ecology, Inc. “We were fortunate to have an ERM framework to think through the dimensions, with documented business continuity plans in place to maintain our resilience. It was a real-life example of ‘the more organized you are, the better off you are.’”
These plans included analyzing PVH’s liquidity risk—the company’s ability to pay its debts without enduring catastrophic losses. As government decrees across North America and Europe temporarily shut down many brick-and-mortar stores, PVH needed to assess the impact to liquidity from a potentially serious decline in revenue.
“No company is built for zero revenue,” Steiner said. “We had to determine how much cash we had on hand and how much we needed. To do that, we performed financial scenario plans and stress tests, examining how long the lockdowns might last in different locations. We also needed to think through logistical issues like the need for travel restrictions, and the health and safety of our people, particularly as they began working from home, and practical issues like childcare.”
This period of analysis and reflection was phase one of what became a three-phase ERM project. During this initial phase, Steiner collaborated closely with PVH’s heads of risk management and human resources to execute the company’s crisis communication plan.
The second phase focused on the actions needed to emerge from the crisis. It involved the participation of a broad group of business unit leaders and C-suite executives, including CEO Emanuel Chirico, and a series of tabletop exercises to assess related recovery strategies.
In these sessions, participants asked a series of questions about hypothetical financial, operational and organizational threats to mitigate possible impacts. “The exercises also gave us a way to look at the crisis strategically, seeing ways to position the company to gain a competitive advantage once the lockdowns ended and the crisis lessened,” she said.
The third phase encompassed the actions necessary to both moderate the business impact of the pandemic and emerge from it as a stronger company. These efforts appear to have been successful. PVH reported better-than-expected fiscal results in the third quarter of 2020, and from then through January 2021, its shares outperformed the S&P 500.
“By looking at risks systemically, ERM can be a game-changer,” Steiner said. “Like a car, a company is a system. If you get a flat tire, you’re unable to drive. With ERM, you look across the enterprise at all the things that can bring it to its knees, giving you insights to stay on top of each one.”
As vice president for enterprise risk management, Jeff Matsen oversees the ERM program and related crisis management for Edwards Lifesciences, a medical technology company operating in approximately 100 countries. The company develops structural heart devices like tissue replacement, and is also a major provider of critical care monitoring systems that have been in high demand during the pandemic. “It was crucial that we continued to provide our products to patients, ensuring our manufacturing and global supply chain never stopped,” Matsen said.
This required the company’s workforce to consistently perform at a high level, which was not easy when a highly infectious virus could sideline many employees. To limit this risk, Matsen partnered with the company’s human resources and supply chain functions to create a robust contact tracing system to track COVID-19 infections. “If an employee reported symptoms consistent with a COVID-19 infection, it generated a set of contact-tracing procedures, including training materials and testing protocols to deter transmission on a location-by-location basis,” he said.
“ERM helped us to bring together different plant leaders to standardize and provide direction on our protocols,” he said. “Ultimately, we were able to swiftly implement these protocols to protect employees in a manufacturing setting, thereby ensuring a continuous flow of life-saving products to meet the needs of patients worldwide.”
Examining the Entire Portfolio
As a large global independent investment firm that manages risk across a wide range of asset classes, Invesco Ltd. needed to consider the pandemic’s impact on its own business as well as those in its portfolio.
“When the pandemic occurred, the big question we were being asked by clients and regulators was how our risk landscape and response to risk had changed,” said Suzanne Christensen, the firm’s chief risk officer. “We had to quickly identify how individual risks were impacted, but also how our whole portfolio of risk had changed in both the short-term and longer-term, too.”
One example is how Invesco managed business disruption. The business continuity plan called for relocating certain operations curtailed by a crisis like a hurricane or flood to a separate dedicated facility. This was not feasible, as it did not accommodate the health and safety risks of COVID-19 infection and transmission. “Like many other companies, everybody was working from home, using virtual technologies to complete tasks and serve our clients,” Christensen said.
The pandemic’s impacts on financial markets also led to demands from clients for more real-time information delivered virtually. Although these demands accelerated an existing trend at the firm, Christensen said it tested Invesco’s ability to efficiently leverage digital tools, real-time data and virtual collaboration across time-zones. “It all just put additional stress on our employees and our systems, requiring that we factor these issues into our consideration of risks over a longer-term,” she said.
While the company ultimately executed the transition to remote work well, it then had to be concerned about increased cyberrisk. The mass virtual work environment increased its susceptibility to attack at a time when its cybersecurity and response team also was working at home. Moreover, since third-party vendors are a key source of potential cyber incidents and Invesco is dependent on third-party providers who were also working remotely, the firm’s cyberrisk exposures increased even further.
“We essentially had to evaluate all of our risks, individually and together,” Christensen said. “In doing so, we realized that the ‘water level’ on all our risks had risen and our ability to absorb the additional shocks—at least initially—was dramatically reduced.”
Comprising Invesco’s highest-ranking senior executives and risk professionals, the firm’s corporate risk management committee served as a forum to challenge the assessments and assumptions. The committee weighed in on how best to prioritize and manage these efforts across the firm.
“The ERM framework and common risk language supported discussions that allowed us to consider the full portfolio of risks and get to the heart of what mattered most for the success of the entire firm and our clients too,” she said. “Without that holistic view, we’d be stuck out there in our silos with a lot more uncertainty as to what to do.”
Learning from History
Health insurer Centene launched its ERM program in 2005. As a result, the company had a mature program in place and the risk team had already examined the possibility of a pandemic.
“We were an early adopter of ERM in our sector and had documented the possibility of a pandemic affecting our operations since 2009, when the H1N1 swine flu pandemic emerged,” said Jana Utter, Centene’s vice president of ERM. “Now, we were able to look at the business continuity mitigations that were put in place at that time and understand how the risks played out across three or four reported quarters. Not every company had that information, and it was very helpful.”
When COVID-19 emerged in the United States in February 2020, senior executives wanted to know if the ERM program had any data on pandemic risks and Utter was able to point to data on both pandemics and epidemics like the mosquito-borne Zika virus in 2016 already embedded in the company’s risk register.
Beyond the ERM program, she gave equal credit to Centene’s business continuity plan for moderating the pandemic’s business impact. “It shouldn’t matter what the event is that triggers the business continuity plan—the important thing is for it to be well-functioning,” Utter said. “Ours was and is. Through the years, it evolved, correlating the potential impacts of different perceived risks with the need for additional or new mitigations.”
This plan will evolve further and the company is already prioritizing incorporating lessons learned from this year. For example, Centene’s ERM organization normally meets at the company’s St. Louis headquarters for a series of quarterly risk meetings with a large group of senior executives. In the past, some executives could not make these meetings due to travel commitments. At the onset of the pandemic, all of the quarterly risk meetings were held virtually and attendance was 100% with no meetings rescheduled. All senior executives were able to participate in these important ERM discussions as scheduled, which increased the efficiency and effectiveness of the process.
An Evolving Process
Navigating the COVID-19 pandemic has been an experience from which all risk professionals can learn. By recording the pandemic’s breadth and scope in their respective risk registers, ERM leaders will be better equipped to address similar risk events in the future. “This is not a one-time impact,” Christensen said. “We are bound to see more epidemics and pandemics. These risks must be treated as endemic.”
Continuous risk analysis and documentation will be necessary to adapt and respond effectively to new events. “Each time a crisis occurs, the silver lining is our ability to map these lessons holistically across all the functions,” Matsen said. “An ERM program provides a central place and point to consolidate each lesson to continuously strengthen the business continuity plan.”
The pandemic has also made clear that crisis events are not just business concerns—ERM also has a critical impact on people. “Looking back, the pandemic was a human-centric problem that required a focus on helping people,” Steiner said. “We were able to keep the culture intact and the workforce motivated by understanding how they were feeling at a time of change and duress. A company’s culture is something that will be more important from an ERM standpoint going forward.”