Over 800 risk professionals joined Richard Waterer, Managing Director EMEA for Aon, and David Tattam, Director of Research and Training from The Protecht Group, in our live webinar "Managing Disruption – The keys to riding the storm".
Richard and David shared their insights on the importance of planning and being adequately prepared for disruption, and the key elements in managing a disruption. The role of risk management in being resilient to disruption was also addressed.
We believe connecting like-minded risk management professionals to share ideas will help shape the future of risk management. Hence, we would like to share the Q&As, polling results and post-webinar survey of this webinar with you in this article.
Questions and Answers from the Live Session
1. Given the increasingly interconnected world, is traditional Business Continuity management becoming redundant?
Richard Waterer: Great question. I think there is a huge place for Business Continuity Management still. I would define BC as understanding the assets and resources that matter most to an organisation and seeking to protect the availability of those assets and resources - almost irrespective of the incident that has taken place. With that said, we've learned a lot about the value of traditional Business Continuity plans in an event that can affect multiple companies, sometimes not even consigned to an individual geography.
A lot of plans will contain assumptions about recovery, either assumptions about the ability of partners or suppliers to be available or the assumption about customers to be there and ready to receive your products and services. This pandemic certainly tested how we think about Business Continuity Management but as we think about more traditional events such as the loss of a facility or an asset or maybe a key person or team, a lot of these founding principles remain the same.
Although we focus less on threats and more on impacts with BCM, we are going to be seeing considerable changes to the way companies operate. Whether that's home working or re-engineering supply chains. The BCM events that are more likely to drive those losses if they're not managed or are unprepared may well change so that will likely require more focus.
2. I have never heard the term "Black Swan event". Please kindly explain it.
David Tattam: "Black Swan event" is a very, very low likelihood but highly catastrophic event. The term is from a book written by Nassim Nicholas Taleb. The "Black Swan: The Impact of the Highly Improbable". While I'm at it, you should also read the book "The Gray Rhino" by Michele Wucker, which is more about the incidents that are predictable but we tend to ignore them until it's too late. I would argue that COVID-19 was in fact a grey rhino rather than a black swan.
Almost half of the attendees from our live session say that high-impact risks are managed well in their organisation,
while 44% say that only the obvious ones are managed OK.
3. You mentioned that in previous pandemic scenario analyses, government intervention was not assessed accurately. Now we have seen the level of government intervention, is there a danger of extreme risks being viewed as the government's responsibility not the organisation?
David Tattam: Interesting question! Firstly, in the majority of scenario analyses for pandemics prior to COVID-19, there was definitely a lack of/erroneous assumptions regarding how governments would react. With hindsight, it always seems more obvious as to what government and authority response would be to a highly infections pandemic but our scenario analysis assumptions just didn’t get it right. We always learn from experience and I am sure all pandemic and public related health scenarios will now have much more realistic assumptions regarding government response.
Secondly is the implication for future pandemics. Given the enormous government influence in attempting to deal with the pandemic there could be a feeling of individual organisations being powerless and therefore “leave it to the government”. This would be a grave mistake. There is much that an organisation can do to maximise its resilience to future shocks and also planning for the war room operation when it does occur. Government and authority response becomes an external driver to the organisation. In many ways government response should be considered the cause of many additional organisational risks (inability to carry out business etc.) and the organisation needs to be clear what it can and cannot influence and it focuses on what is within its control and manages that accordingly.
38% of the live webinar attendees hold a positive view of how their government has managed the COVID-19 crisis.
4. Has the role of Big Data/Machine Learning met expectations on early warning systems? Is there more evolution of this to come?
David Tattam: Great question. No, I don't believe that the role of Big Data or machine learning has met expectations in any way or form yet. Big Data kind of felt like the internet bubble for a while in terms of what it was going to deliver and I think it disappointed in a way. I think what we've come back from the Big Data revolution to a more realistic position of taking the data that is available and turning it into usable intelligence. I believe there is a huge role for increased data usage, particularly around the early warning systems to give these risks more prominence.
5. How do we ensure that the risks that are not in our top 10/15/20 get adequately looked at and is there a need to revisit the risk assessment methodology for assessing them? Is there another parameter required?
David Tattam: I would argue this goes very strongly with the question on big data. As we get more forward looking risk metrics and indicators that enable us to assess risks in a more sophisticated way this will bring these low likelihood, big impact risks to the fore, so that we are more prepared in the future. It's also worth mentioning that we've got a series of risk management futurist webinars starting in August and certainly Big Data and Machine Learning will be discussed.
6. Good crisis management is not just about how you manage the event but how you're seen to manage the event. In light of this, are companies doing enough to manage their risks to reputation?
Richard Waterer: My short answer would be, probably not. In my experience, there has been two lenses through which a lot of companies have started to think about reputational risk management. One is through asking, are they prepared for crises and can they manage the crises and create a positive response without creating further damage if it's mismanaged. There has been a lot of focus on that for some years now. We also see when companies are evaluating risks in their risk register, they tend to use a series of indicators which are much broader than pure financial impacts today and they may well on apply a reputational impact. But in my experience, often those reputational impacts can be sort of relatively high level and don't really create additional insights for the company that's assessing it.
So where I see this being done well is in companies that almost have gone to the next stage of that process and thought about how they can map out those reputational risk scenarios that may not lead to short-term financial impact, that may lead to a longer-term erosion of either relevance or market share or indeed share price performance. The key in doing that is understanding, what are the values that the company trades by? and therefore what are the events that would most compromise their ability to be seen to be upholding those values.
There's also a big bit of stakeholder engagement required that perhaps traditional risk management functions wouldn't think as broadly as, so you're getting rid of very wide stakeholder community. Typically, the big reputation events are the ones that compromise those values and also have the ability to negatively impact a wide group of stakeholders. It's all about understanding those events and spending as much time as possible in building out what they might look like, what they might end up costing so you can invest in them appropriately.
Majority of the webinar attendees believe that their organisation has managed the COVID-19 crisis well or very well.
5. How does Dynamic risk reporting work? Are we integrating GRC tool with other technologies to obtain data in real time? Can you share any examples?
David Tattam: At Protecht, we refer to dynamic risk reporting as “Risk in Motion™”. This is literally recognising the dynamic nature of risk, how quickly it can change and therefore the need for more dynamic, real time and forward looking reporting.
The principles for how it works is:
- You need a strong central library of risks – the risk taxonomy
- You need well developed risk processes including Risk Assessment, Incident Management, Key Risk Indicators, Control Assurance, Issues and Actions, Internal audit and so on.
- All of these processes and the risk data collected from them must be linked to the relevant risks within the risk library
- Reporting involves the aggregation of all relevant risk data at the time of reporting linked to each of the risks. This then gives an integrated and dynamic (using all of the most recent data available) view of risk.
An example is provided below:
The same principle applies for any other risk dimension such as:
- Controls in Motion - where all information is attached and aggregated to controls
- Compliance Obligations in Motion - where all information is attached and aggregated to specific compliance obligations
You can also view the following which will provide more guidance:
- Is your risk management a little static?
- Understanding RiskInMotion: How to bring all your risk information into one dashboard
6. Where third-party risk is present - how do we move away from reliance on ingrained "on site" interactions (audits/performance review meetings/cyber control testing) to alternatives? I have found that not being able to gain access being "on site" with third parties has shown weaknesses in controls we had not previously identified (access to site was a reasonable assumption).
David Tattam: Third-party risk management is a rapidly developing area, not least because of the ever growing realisation as to the level of risk posed by our supply chains and in particular key suppliers. This involves the obvious risk of third-party performance and failure but also modern slavery and the need to know our suppliers.
The traditional approach of “on-site” interactions and audits has the problems of permissions to carry these out and the high cost involved.
The future is really about remote monitoring of third parties. These can be achieved in two main ways.
- Collecting available key risk indicator information that does not require third-party permission. This include such things as published financial and non-financial information, news articles and so on.
- The second is to build into the contractual relationship the requirement for the third party to provide ongoing risk related information such as results of controls testing, attestations, key risk indicators and so on. Your risk management systems should allow direct input by third parties remotely to allow this monitoring.
This remote approach is much more efficient and agile. When the data raises concerns this should prompt direct inquiry and this may involve third party site visit and audits but these would be on a much less frequent basis and be targeted based on the risk information and analysis already carried out.
Attendees showed great confidence in their businesses facing the disruption caused by COVID-19
with 89% saying they will either recover or be stronger than before.
What is the most likely and profound impact of COVID-19 on the future of risk management?
Here's how our attendees responded when we posed the question: "What do you see as the most likely and profound impact of COVID-19 on the future of risk management?"
Risk Management at the Forefront
One of the common themes from the survey responses is the increased relevance and importance of risk management in organisations as a whole:
- A more enterprise approach to risk management; Risk Functions on the 2nd line taking greater priority/funding than Compliance and Audit. Compliance merging with Legal to reduce cost and allow Risk more profile in the organisation.
- I think the impact is positive as the organisations will now be more interested in considering risk management as an important tool to anticipate and be prepared/vigilant for future similar kind of incidents.
- Hopefully more risk management involvement from a overall strategic point of view
- Hopefully a more serious consideration of the Enterprise Risk environment.
- Whole of society approach to Risk Management - no one will be left behind
- Revisiting risk methodology.
- Upscale, redefine risk management.
- Greater scenario and stress testing of operational risk.
- Risk Management will be valued more and appreciated more as a value added function
- Elevation of the function to a "functional management" role as opposed to a reactive window dress for the regulator.
- I think risk management will elevate quite significantly and will become a number 1 priority. Given the misuse of the word risk, maybe there will be a need for a more futuristic word.
- Greater focus and respect for risk management and profession.
- As you already said, hopefully raise awareness on risk management importance and strategic position in all companies.
- I think it has certainly highlighted the importance of comprehensive risk management, and hopefully will push organisations to be better at managing risk, therefore better prepared for an uncertain future.
- Swings both ways - it can reaffirm the need for good risk management or question its efficacy of anticipating risks and preparing for them.
- A better embedded risk management strategy for us.
- Bringing risk managers to the forefront and being held accountable for allowing risks to be incorrectly assessed.
- It will lift the importance and prioritisation of risk in most cases
- To be more forward thinking and for the thinking to be integrated within the business rather than an add on or compliance activity.
- Risk is getting more attention and value.
- Organisations taking risk management more seriously.
- Highlighting the importance of risk management and provides us with even more airtime in front of senior management, particularly with focus on high impact low likelihood risks and stress testing.
- Senior leaders taking risk management seriously.
- It will become more prevalent within organisations and taken more seriously.
Black Swan events refer to events with a very low likelihood but highly catastrophic impact.
Black Swans and Grey Rhinos
Several responses also referenced more awareness of low likelihood but high impact events as well as predictable incidents that are often ignored:
- I guess no one really expected that a pandemic would impact us in the 21st century but it has and the lesson is, be prepared and have a well disciplined team/approach to the unexpected.
- Further focus on the low likelihood high impact events and further strengthening of continuity planning including resilience.
- That the unexpected can happen and you need to be prepared.
- Businesses’ ability to effectively manage low likelihood high impact risks.
- The grey rhinos get talked about.
- A move to a more forward thinking approach at board level with consideration of high impact events regardless of likelihood.
- Managing unpredictability.
- Short term knee jerk reaction to black swan events.
- Do not rely on plan/processes developed in the past to be applied for future undefined events.
- Reacting to uncertainty.
- COVID-19 will encourage business to consider globalisation (how quick something can move around the world) and a change of focus on to previously ignored high risk low likelihood risks.
- Need for more agility and greater focus on lower likelihood but high impact events.
- Recognition that extreme and unimaginable events can occur, and that organisations need to be prepared for them.
- Don't discount any potential risk - even the most improbable could occur and has to be considered.
- Consideration that what is unlikely might actually happen and people perhaps taking it more seriously.
- Organisation giving priority to low likelihood and high impact risk.
Agility, Readiness and Business Resilience
Some respondents also stressed the effects of the pandemic in pushing organisations to review their readiness, ability to respond quickly and their overall business resilience:
- Agility of risk management in responding to "black swans" as well as moving towards being more predictive of risks that are likely to have a high to moderate impact to the organisation. Certainly business resilience is a key focus area and how risk management helps to achieve this.
- Risk management actions, framework should become more agile and flexible and have a model of continuous cycle.
- Putting Business Continuity Management on the focus, a growing expectation of Risk Management becoming more predictive and more tangible in evaluation - in a sense of giving price tags or value at risk for risks instead of qualitative rating. Developing pragmatic ways of risk quantification appears key to me to fill Risk Management's chair at the management team table.
- More resilient higher profile.
- The need to join up Business Continuity & Strategic Risk Management to really look at Organisational Resilience.
- More awareness and appreciation of business continuity management and disaster recovery plans.
- Managing complacency.
- Stronger operational resilience and a more prepared approach to risks.
- An increasing requirement / need for dynamic approaches and information.
- Making risk management reporting dynamic.
- Sustainability of all business during crisis, people arrangement to go working online, readiness of business model to crisis.
- A more integrated approach at corporate levels and internationally.
Missed the live session?
We've got you covered! Click the link below to get access to the webinar recording and presentation slides.
Browse our knowledge centre for more resources on risk such as risk management goals and risk management opportunities.