How to keep coronavirus pandemic away from company’s risk appetite; three steps to reduce threat
January 7, 2021 4:02 PM
Two key aspects that influence an organisation’s ability to deal with any threat are risk tolerance and risk appetite.
Risk professionals must prepare for any uncertainty with a strong risk management strategy in place, replete with compliance, operations, and other internal checks and balances.
Hersh Shah, Sachin Paranjape
The COVID-19 pandemic created a sudden economic crisis where companies’ risk management strategies were tested abruptly and extensively. The disruption caused by the pandemic, and its economic fallout, not only brought intense scrutiny on enterprise risk management (ERM) but also on how organisations were developing their risk management strategies, which are crucial in determining how they manage a crisis such as a pandemic.
It is important to understand that the COVID-19 pandemic is not necessarily a one-off event. The World Health Organisation has also recently warned against the emergence of future pandemics, the fallout of which may be even more severe than what we are currently dealing with. This means that, going forward, companies can no longer afford to neglect to prepare for such events, and that a similar future scenario now needs to be taken into account in their risk strategies.
Two key aspects that influence an organisation’s ability to deal with any threat are risk tolerance and risk appetite. Risk appetite is the willingness of an organisation to withstand a certain type and level of risk, in the pursuit of its strategic objectives, before finding it necessary to take corrective action. Risk tolerance, on the other hand, is the deviation from this acceptable level of risk exposure that an organisation is willing to tolerate. Normally, these risk parameters allow a certain leeway in implementing changes.
Probability and Risk
As an ERM program matures, organisation evolve a scale to measure events which are more probable, which helps them manage the impact of different events. High probability events naturally get higher billing than low probability events, in risk identification and charting risk appetite. However, this kind of assessment can cause errors, where events with low probability, but the high potential impact can get overlooked.
Risk professionals must prepare for any uncertainty with a strong risk management strategy in place, replete with compliance, operations, and other internal checks and balances. The strategy must account for a quick response, possible changes to compliance procedures, and accommodation of modified operations while preparing for a return to normalcy.
Pandemic Risk Management Strategy
To ensure that pandemic-like events are not excluded from risk assessment, both risk appetite and risk tolerance must be reevaluated. The strategy must, therefore, be modified on the following parameters:
Redefining the framework: Low-probability events, that have a potentially high impact, must be incorporated into the strategy framework. The potential impact and the organisation’s tolerance for a particular threat must be accorded more importance with respect to risk-based decision-making. This framework must be reviewed periodically to accommodate for any changes.
Governance: The risk committee must have more meticulous oversight, and should scrutinise even the low-probability risks to determine the organisation’s risk attitude and ensure threats are not being overlooked. They can work with CROs to understand how and which different threats were identified and evaluated.
Safety net: This pandemic has amply demonstrated the need for a provision or safety net to help organisations adjust to an altered environment. There must be sufficient capital allocation in the form of a war chest for emergencies. This will help deepen resilience when faced with a crisis. It can also allow the organisation to carry on collaborating with partners and allies, forming a network, which will, in turn, help strengthen its own position.
The business disruption in the immediate aftermath of the COVID-19 revealed the lack of preparation and insight by organisations and businesses across the board. Ignoring a low probability event in the risk appetite calculation, without evaluating their own response capability, should it come to pass, also led to the exclusion of a high-impact event that has shaken an entire world. To avoid a repetition of such events in the future, it is critical for companies to evaluate their ERM processes frequently to guard against such biases, and carefully assess how different low-probability events can pose a threat to organisational goals and business continuity.
Hersh Shah is CEO, and Sachin Paranjape is Strategic Advisory Board Member at India Affiliate of Institute of Risk Management, UK. Views expressed are the authors’ personal.