Supply Chain

COVID-19: The Risk Management Part Is Unfinished

What actions should senior risk managers and executive management undertake to deal with the remainder of the crisis and its aftermath?
John R.S. Fraser, Rob Quail, and Betty J. SimkinsJanuary 21, 2021

It is January 2021, and the world is in the thick of the COVID-19 pandemic. To control the spread of the disease, economic and social activities worldwide have been severely curtailed. Governments and organizations struggle to manage through the situation and strike an appropriate balance between mitigation of harm to public health and economic well-being.

What actions should senior risk managers and executive management undertake to manage through the remainder of the crisis and its aftermath?

Immediately: Dependencies and Risks

We’ve had many conversations with risk managers and executives about the short-term and immediate-term risks of COVID-19 concerning external dependencies and conditions: e.g., the supply chain, outsourced services, access to a flexible or seasonal labor pool. Most of our questions were met with reassuring answers regarding what is expected, such as, “We think our supply chain is going to be OK,” or “Our offshore data center is managing well through this.”

A Better Way to Do Ecommerce

A Better Way to Do Ecommerce

Learn how Precision Medical leveraged OneWorld to cut the cost of billing in half and added $2.5M in annual revenue.

John R.S. Fraser

But these are answers to the wrong question. The relevant question for risk managers to be asking in the short-term is not “What is expected?” but “What are the risks?” The pandemic is happening at a time of tremendous global interconnectedness. Organizations should be evaluating all of their third-party dependencies for vulnerabilities and conducting near-term risk assessments. This is a time when overdependence on limited supply chain channels or specialized, single-party services in support of mission-critical business processes is an especially acute source of risk.

We recommend that risk and business managers revisit their third-party dependencies and associated risks, and take steps to reduce single-point vulnerabilities through the one- to two-year time horizon during which the pandemic is expected to continue.

Short-Term: The Second Crisis

Leaders and public health officials acknowledge that the pandemic will be with us until late 2021 at least. Meanwhile, it is a fact of corporate life that from time to time, even in normal circumstances, all large organizations experience surprises. Given the timeline, it’s very likely that for many organizations, some other unrelated risk event is going to happen, too: perhaps a labor disruption, a technology failure, or an asset performance issue; that is, some other “shock” unrelated to the pandemic.

So, the question that risk managers and executive leaders should be asking themselves is, if and when this “second crisis” hits us, how will we cope?

Many organizations have been placed in a weakened state by the prolonged crisis, financially or in terms of human resources; crisis management resources have been fully deployed for many months. Are we watchful for other risk events that could occur, or are we so busy managing the impacts of COVID-19 that we may have developed blind spots? When something new breaks, will we be able to work through it? Or could a second crisis represent a “tipping point” with disproportionate negative impacts on the organization?

When something new breaks, will we be able to work through it? Or could a second crisis represent a “tipping point” with disproportionate negative impacts on the organization?

We recommend that organizations conduct a specialized, immediate-term review of their risk profile with a particular focus on agility and capacity to endure worst-credible scenarios, should any occur while the pandemic is still in full force.

Medium To Long-Term: Scenario Planning

There is no question that the pandemic and our response to it will have lasting effects on many aspects of business and society.  Early in the crisis, the United Nations’ trade and development agency projected that the global economy’s slowdown caused by the COVID-19 outbreak would likely exceed $1 trillion. There are downward pressures on national GDPs, and governments accumulate public sector debts while governments cope with the incremental costs.  And governments are injecting cash into their economies in an attempt to mitigate near-term economic impacts. These pressures and actions will have massive impacts on many aspects of the business environment for years to come.

Rob Quail

There are tremendous implications for risk management. The long-term impacts and aftershocks of the COVID-19 crisis represent a source of unprecedented uncertainty; there are many ways in which the economic, social, political, environmental, technological, and regulatory environments could be affected by these events. These possible future scenarios could represent tremendous vulnerabilities and opportunities for organizations. We believe that this is a circumstance where “risk management as usual” is inadequate; explicit exploration of the impacts of COVID-19 on the top-level strategic environment is necessary.

It is worth noting that not all the uncertainty and change represents downside risk; the mitigation and impacts of COVID-19 may create opportunities as well. For example, consumers and business partners are now interacting through digital channels in ways and to an extent they never have. There may be opportunities to incorporate this level of digital engagement into the “new normal,” leading to cost savings or revenue opportunities. In many jurisdictions, government policymakers have publicly discussed renewed commitment to the environment and accelerated investments in technology as possible post-COVID-19 activities. These could represent new opportunities for organizations in related fields.

We recommend that executive leaders, risk managers, and strategic planners examine the long-term strategic implications of COVID-19 and the associated risks and opportunities. One well-established tool that seems particularly well-suited to this need is scenario planning, of the type that was first widely adopted as a tool by Royal Dutch-Shell in the 1970s.

Downward Counterfactual Analysis

Coping with the pandemic has been a challenge for most organizations, experienced in very different ways across industry sectors, jurisdictions, and markets. For some, the main challenge has been about mobilizing a remote workforce. For others, where working remotely is not feasible, the focus has been on ensuring that employees were able to work safely. There have been cybersecurity challenges. And of course, there have been potentially catastrophic revenue and margin impacts brought about by the economic curtailment.

Managing through these challenges has tested many aspects of organizations’ agility and crisis management capability. Once the crisis starts to recede, organizations would be well-served by conducting a lessons-learned exercise.

Betty J. Simkins, Ph.D.

However, merely retracing the sequence of events and evaluating the response is not sufficient.  It is doubtful that the same chain of events as occurred in the COVID-19 pandemic would play out in the same way. In any case, the goal of the lessons learned should not be “How did we cope with this circumstance?” but instead should be “What have we learned that would allow us to cope with another unexpected shock?”

Several characteristics of the COVID-19 crisis were unusual.

  • First of all, it has had a global scope. Most of the typically postulated crises that organizations use as the basis for their response planning assume localized occurrences, such as severe weather events with limited geographic scope. On the other hand, COVID-19 is a genuinely borderless, global crisis: the mitigations planned by using backup centers, the geographic dispersal of work centers, or offshored operations were of little or no value.
  • A second unusual thing about this crisis has been its duration. Optimistically, by the time this crisis starts to recede, it will have lasted at least 18 months. We are simply not accustomed to managing through such long-lasting emergencies.
  • Third, one aspect of the crisis that worked in our favor was its velocity. From the time when the virus was first identified until its impact became truly global was a period of months. This allowed organizations time to mobilize emergency preparedness plans.

Downward counterfactual analysis is a risk management and planning “what if” thought process. Participants imagine what would have happened and how they would have coped if the events played out differently. For example:

  • What if the epidemic had rolled out more quickly? What if the epidemic’s impact was less evenly distributed — what if some geographic regions were much more seriously affected than others?
  • What if the pandemic had happened immediately after or during an economic downturn?
  • What if the virus originated in some other geographic location?

We recommend that organizations undertake an extensive “lessons learned” exercise, perhaps employing downward counterfactual “what-if” analysis, to improve resilience and preparedness for the next extreme event.

Many organizations appear to be holding their breath and waiting for the COVID-19 crisis to subside. That may be a mistake. We feel that more focus and energy needs to be brought to bear on anticipating and preparing for any further potential impacts during and after the crisis.

John R.S. Fraser is the former Senior Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks, one of Canada’s largest electricity transmission and distribution companies. Rob Quail is principal and owner of Robert Quail Consulting, and former Director of Enterprise Risk and Vice President of Customer Service at Hydro One.  Betty J. Simkins, Ph.D., is the Department Head of Finance, Regents Professor of Finance, and Williams Companies Chair of Business in the Spears School of Business at Oklahoma State University.  The authors are co-editors of the 2nd edition of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, to be published by John Wiley & Sons this summer.