Reflect, Rethink and Respond How Post-Pandemic Risk Management can improve

Businesses are beginning to see the light at the end of the COVID tunnel. Many CEO’s are taking time to re-strategize, implement new processes, and reacquaint themselves with staff, many of which have been working from home.  It definitely is a time of change and repositioning.

Risk managers should also be taking a look at the past couple of years and determine if there is something that they could have done differently.  It is still surprising that few, if any, risk people could predict the pandemic but it is not a surprise that no one could have predicted the depth of impact.  This might indicate a need to modify, change or enhance certain risk practices.

Before we share some ideas for change let us be clear that no one could have predicted the global nature of the pandemic, the significant impact to businesses, economies, and of course to human life. Instead, this space is being taken to determine lessons learned and to help prepare us for the next great crisis.

Going forward risk managers and Chief Executive Officers should consider an immediate deep dive analysis into three areas: Risk Indicators, Touch-point Analysis, and Rapid Response Processes.

Risk Indicators: We have long utilized indicators to determine behavior of portfolios and economies. During the past five years the use of indicators have increased and now include process efficiency, systems effectiveness and many other data points. The remaining challenge for those of us in the risk management business is the development of integrated indicators. These are indicators that when working together provide additional insights that help management understand the depth of events and their impact to multiple processes.  A solid GRC system and risk methodology that links events to multiple risk categories or business processes can help in this area.

Touch-point Analysis: We have noticed that very few risk managers are utilizing the touch point analysis in their practice of risk management.  A touch point analysis, where the transaction or process is flow- charted and then human, systems or external contacts are inserted (touch points), is not a common behavior.  This is interesting because introduction of risk to process or transactions is a key knowledge point for management. The more complex our business the more a touch point analysis can indicate where something can go wrong, the cause of that potential problem, and provide a roadmap to issue resolution. While most GRC tools do not focus on this activity it is certainly something that should be found in the risk management tool kit.

Rapid Response: Prior to the advent of the Pandemic this author had an epiphany.  In a conversation with the head of technology for a large bank over fraud the CTO mentioned that while predicting fraud is important, and setting up monitoring for known fraud events is valuable, the key going forward to managing fraud is something else. It is how quickly and completely a business responds to new cases of fraud. 

Thinking about that and then seeing the pandemic entrench itself in country after country we could notice that how and when a city, state or government responded was the key to slowing down the surge, protecting people and ultimately saving lives.  This is a keen example of why risk managers should ensure that their businesses have a comprehensive and effective response plan (and team) to address events. The cold hard fact is that no risk system can predict what will happen or when it will happen. But we can recognize an event, respond quickly to that event and limit the negative impact by a developing and implementing a rapid response process. Perhaps pivoting to recognition, response reward is a good thing for us as we emerge from the pandemic and return to more normal business cycles.