Risk management experts and professionals thought they had it all covered. We have prepared our and our clients’ organizations to face risks we thought were most serious and probable to occur. Building cybersecurity armors to keep information safe, we might have underestimated good, old biology. Is it too late for businesses to prepare for this new world where a virus is disrupting… everything?
The outbreak of the coronavirus epidemic does not currently cause problems with the continuity of drug supplies in Europe but industry experts warn that this condition will almost certainly change — at the worst possible moment. Retail industry during the epidemic is struggling with a lack of people to work.
In Poland, entrepreneurs appeal to the president, prime minister and MPs to protect the food production and processing sector as a strategic part of the Polish economy. Transport and logistics must deal with suddenly restored border controls or imbalances in maritime transport. This is just the beginning.
But, of course it’s not too late. Risk management is a wide and mature area of management methodology built on extensive knowledge and experience. Now, more than ever, is the time to use it and let it be field tested.
As huge in scale and unpredictable the pandemics is, it’s just a new set of risks.
How to design processes in companies to make sure that these risks will be mitigated not only on the organizations’ level, but in relation to subcontractors/vendors as well?
The short answer is: risk profiling.
Read further to get the long one.
One: Verification of control mechanisms
The COVID-19 virus outbreak and its current effects are extraordinary, but it is future implications of the pandemic that businesses should focus on at least to the same extent as on the present ones.
As the first step, I would advise company decision makers to verify all the mechanisms including control, compliance and risk management specifically in the context of disruptive effects of the pandemics.
Start with the basics — things necessary to ensure business continuity on the organizational level, like VPNs for remote work or backup laptops for workers grounded in their home offices.
Two: Aggregate risk profiles
Risk profiles provide management with an overall picture of risk at a specific organizational level. A risk profile is a kind of executive summary of the entire risk analysis and hence it is very often analyzed and used by supervisory boards for decision making. The board and its members usually do not conduct a detailed analysis of each risk that may occur at any level of the organization. That’s why the bigger picture is so important here.
New circumstances that may overturn the table, the pandemics require a fundamental update in companies’ risk management. Risk profiles have to change, so after you secure the basics, the second step should be stopping for a while, looking around and reviewing organization’s internal and external readiness regarding security management and business continuity.
Three: No one said audits and compliance are suspended during virus outbreak
A good practice of a well-managed organization is that risk profiles have to be reflected “on paper”, meaning they have to be auditable. Audits are still a thing, nobody has cancelled them!
But people are working from home, and this applies to everyone, including external audit consultants. The spring round of audits is be marked by additional risks and costs. And companies that are not prepared will feel the negative effects. Better think of new means to carry out audits independently, not relying on retainers.
That’s no joke. Compliance will become more important than ever, as governments are introducing new game rules for the time of the struggle to stop the epidemic.
It’s difficult to predict anything right now. The global market has never been so volatile, time will tell what direction will it go. But we can assume that after the current experience, governments may want to introduce orders and other forms of pressure to verify whether mechanisms of risk management and compliance are implemented effectively and updated as necessary?