In many organizations, risk managers have long been essentially back-office roles, with limited or no access to boards, executives, and key decision-makers. They oversee a varied and ad hoc set of risks like workplace health and safety, business continuity, cybersecurity, compliance, and fraud. But their jobs tend to lack sufficient authority and funding, and those in leadership positions often don’t understand risk management and its importance to their business. Outside of large corporations and financial services firms, chief risk officers have been the exception rather than the rule.
The Covid-19 pandemic and the social and economic crises it has brought have thrust risk managers forward, and they’re now playing a key role in crisis management and business continuity; their knowledge and expertise are finally being put to good use. The survivors that emerge from this period—whether they’re startups, tech companies, or larger established corporations—are likely to be those that have developed strong risk management capabilities.
Hoping for the Best, Preparing for the Worst
Business continuity plans are proving invaluable in helping businesses maintain their critical activities right now. The organizations that have them in place have quietly and quickly slipped into a rhythm through strategic and purposeful activation. These plans were rehearsed and tested many times over by risk managers.
However, the pandemic is revealing how under-prepared many organizations have been for an external shock; they’re now facing operational and financial difficulties they never contemplated, let alone planned for.
When the business community does a postmortem on the Covid-19 pandemic and lessons learned are written up, they’ll look closely at the role of risk management, and what they’ll likely find is a preference for financial performance over business resilience in the pre-pandemic period.
Enterprise risk management, or ERM, has become more widely known in recent years, not least because of catastrophic events over the past two decades—like 9/11, the Indian Ocean tsunami, and the global financial crisis. Books like Nassim Nicholas Taleb’s The Black Swan have also raised the profile of risk management.
Nothing Changes, Nothing Stays the Same
Yet it seems nothing changes. Choices are made that, in hindsight, were excessively risky. Boards and CEOs pursue aggressively-financed corporate deal-making. Business models are built like a deck of cards with little thought on downside risks. Companies are found to have no cash reserves for rainy days.
How many companies will regret highly-leveraged, debt-funded acquisitions made in 2019 when markets were buoyant and company valuations at an all-time high? How many organizations now wish they were not wholly reliant on one country or region for their entire supply chain?
Management education has also been found wanting. Across the world, few business schools have dedicated risk management courses across their respective undergraduate, postgraduate, and executive education offerings. MBA courses rarely have risk management electives, let alone compulsory risk management modules. Perhaps this situation reflects the lack of demand—which, in turn, reflects the general apathy in the business world toward managing risk.
Universities should now be looking at how they can enable current and future business leaders to gain a deeper understanding of risk management. Business leaders need to develop decision-making skills that integrate a rigorous assessment of risk.
Similarly, the role of stress testing and scenario analysis is poorly understood and rarely practiced in a disciplined, regular way. Royal Dutch Shell famously pioneered scenario planning in the mid-1960s and refined its use in the 1970s (no pun intended). Many larger organizations and governments do undertake scenario planning exercises.
But these exercises are often seen as “nice to have,” reluctantly participated in and the results often left on the shelf. Some business leaders also see them solely as a regulatory compliance exercise.
As the coronavirus pandemic unfolds, the value of implementing a more comprehensive approach to risk management will become more apparent. This coupled with sound—and perhaps conservative—financial management will see some organizations emerge from this crisis in relatively better business and financial health than their peers. Sound risk management is often said to lie somewhere on the continuum between being risk-aware and paranoid.
Even in aviation, one of the most challenged and affected industries, there is already early evidence of this. Australia’s national carrier, Qantas, has invested heavily in risk management capabilities and is acknowledged as being financially very well managed. Sound financial management sees Qantas currently holding A$3.95 billion (US$2.53 billion) in cash and undrawn credit lines.
In the past the company has responded quickly to operational disruptions that have included volcanic eruptions, terrorist attacks, and serious flight incidents. Each time an incident occurs, its response is carried out from a purpose-built crisis management center in Sydney and follows a well-developed playbook. Reflecting this approach, Qantas is regularly rated as one of the safest, if not the safest, airline in the world.
Similarly, Singapore Airlines was able to raise at short notice S$15 billion (US$10.5 billion) in late March, reflecting its financial flexibility, strong balance sheet, and business model. While global and domestic tourism and travel sectors have been decimated by the pandemic, the planning for unexpected events by Qantas and Singapore Airlines should see them both better prepared for the future.
Getting Ready for Next Time
It’s not too late for other business leaders to follow suit, and start building the resilient organizations of the future. Those that survive the pandemic can rebuild their businesses on stronger foundations. Key steps they can take include recruiting senior risk management roles (such as a chief risk officer), giving these personnel direct access to the board, and ensuring business strategies and investment proposals have been reviewed by risk managers before approval. This will ensure the discussion of risk is a regular feature of all conversations around the board and executive tables.
There will be lessons to be learned for all organizations from this challenging period. If enough of them are better prepared for hypothetical risks to turn into reality (because let’s be honest—we never imagined we’d be in this sci-fi-like situation), individual businesses and the economy as a whole will suffer less the next time there’s a global crisis.