THE PANACEA TO ADDRESSING EMERGENT RISKS

The current era of volatility, uncertainty, complexity, and uncertainty (VUCA) has had a major impact on how organizations are managing risks to achieve operational excellence. However, the recent global COVID-19 crisis has been catastrophic and unprecedented. That no organization expected this crisis has shone a spotlight on identification, analysis, and monitoring of all risks, including emergent risks in enterprise/project risk management even further.

Risk management standards by various institutions like PMI, NIST, actuarial societies, and ISO are useful. However, the biggest disadvantage of any standard is that it is non-prescriptive. For example, ISO emphasizes the identification of external issues arising from the technological, social, environmental, legal, and political environment. However, it doesn't provide clarity on how to comply with the same with examples. 

PMI describes emergent risks (i.e. the current COVID-19 pandemic and similar such disruptions) as potential blind spots for any organization, i.e. inability to identify a risk until it has occurred! It also suggests solutions to tackle such risks. But this applies to projects and programs only.

So, let's focus on actions that organizations can implement to not only cushion themselves from such emergent risks but also leverage opportunities from them.

One way is to improve the effectiveness of ERM practice by implementing the below steps -

·        Identify similar emergent risks in their ERM register with the help of internal experts. 

·        Allocate cash reserves to handle such risks if they become a reality.

·        Include this in their enterprise risk library and cascade it across the organization.

·        Ensure that monitoring and review of emergent risks happen once in 15 days. 

·        Internal audits can focus on the effectiveness of response plans to emergent risks.

Another way is to establish a bi-directional approach. Look from an outward-in approach (i.e. identifying emergent risks with an expert’s help, as mentioned earlier) and an inward-out view. The latter is already being practiced at the organizational level, using frameworks like ERM. However, ERM effectiveness will improve further by taking a leaf out of the practices adopted at General Motors (GM) and Statoil, an oil and gas producer, based in Norway.

GM looks at mega-trends like a shift in global economic power; disruptions in technology, climate change, etc. to see whether it is a threat or opportunity which it can leverage. Besides this, they monitor what consumers are talking about on social media, use keyword search, and prepare word clouds to identify top topics. Interestingly, they also interact with the next generation of engineers, scientists, line workers to understand their views on emerging risks and opportunities.

In Statoil, the risk team performed a cost-benefit analysis of Statoil’s financial transactions. This showed that these were affecting the organization’s balance sheet, which their leadership found was not acceptable. Subsequently, they gave a formal go-ahead. Second, their risk department established the ERM framework based on two goals, i.e. value creation and avoiding accidents. They informed all business units to identify, analyze, and review uncertain events for negative and positive impact. Third, the focus was on viewing risks from the perspective of key activities performed in their value chain. 

To drive home the point further, let’s look at the current COVID-19 pandemic from both a value-preservation and creation perspective. First, it led to the temporary closure of Chinese factories that supplied components and/or systems to the global technology industry, including India! However, this was a blessing in disguise for those who looked at this as an opportunity and re-tested their existing vendors and replaced them with local, cheaper ones!

Second, for many employees across organizations, the results of a forced “working from home (WFH)” were better than expectations. According to a survey by McKinsey, 80 percent of people stated that they enjoyed working from home, while 41 percent said that they are more productive than they had been before. Many have been freed from long travel time, subsequently improving their personal and professional lives! 

Third, rebuilding the way we do work is another exciting opportunity. One would wonder how? Foremost, refinement of processes/ practices, if taken up on a war-footing, towards the aim of agility and flexibility, will become the first step towards leveraging both in-person and remote work. Then, reduce talent costs by changing the WFH policy such that employees can continue the same, with a monthly meeting at office/ with colleagues at a mutually agreed destination. Also, assess talent management to determine whether the team can do it spontaneously, in the digital era.  

Looking at the recent trends of the percentage of time worked in main and satellite offices, reduction in office space costs can be reduced. One way is to take campuses in sub-urban areas on lease. Organizations can also use a combination of solutions e.g. flexible leases, co-working space, and remote work. Implementing such solutions could eventually reduce real-estate costs by 30 percent. Even better would be to adopt a fully virtual model, which would almost abolish real estate costs and reduce risks related to health!

Till now, we have looked at a multi-layered approach to tackle emergent risks (i.e. strengthening ERM effectiveness, using a bi-directional approach) and exploiting opportunities (i.e. in supply chain processes, talent and so on). However, we need to learn an important lesson from this crisis, i.e. we can no more turn a blind eye to the risk of other emergent risks like a global cyber attack! If this leads to a single-day shutdown of the Internet, it would cost the entire world more than a whopping $50 billion, while a 21-day lockdown will escalate the cost to $1 trillion!  

This is just the tip of the iceberg! The subsequent costs of replacing a minor percentage of global computing devices will lead to an exponential rise in demand, which manufacturing firms cannot cope with!

Organizations can be better prepared for such a world-wide cyber attack by following some steps listed below –

1. Early identification and establishment of response plans in the ERM register with the help of internal experts.

2. Ensuring that IT teams run periodic “simulations” or “drills” to reduce response time to such attacks.

3.  Collaborating with public or private institutions at a national level like Data Security Council of India (DSCI) or the Cyber and Information Security (C&IS) division to gain insights on policies, exchange best practices, build capacity, and so on.

4. Last, but not the least, using old ways of keeping backup (i.e. at least storing critical information in physical form), automated detection and response, and privileged access management (i.e. limiting the number of accounts with privileged access rights) could go a long way in countering such attacks. 

CONCLUSION

Thus, it is every organization’s prerogative on how they respond to killer risks like COVID-19. In my humble view, it is a great opportunity for all to introspect and transform to reach the highest potential they have envisioned.

REFERENCES

1.     https://en.wikipedia.org/wiki/Risk_management

2.      https://www.erminsightsbycarol.com/reactive-proactive-decision-making/

3.      https://normanmarks.wordpress.com/ 

4.      https://www.financialexpress.com/industry/msme-other-how-covid-19-has-created-revenue-opportunities-for-tech-businesses-adopting-this-unique-approach/1921062/

5.      https://www.mckinsey.com/business-functions/organization/our-insights/reimagining-the-office-and-work-life-after-covid-19

6.      https://www.weforum.org/agenda/2020/06/covid-19-pandemic-teaches-us-about-cybersecurity-cyberattack-cyber-pandemic-risk-virus/

7.      https://www.i-cio.com/management/insight/item/maersk-springing-back-from-a-catastrophic-cyber-attack

8.     Implementing Enterprise Risk Management: Case Studies and Best Practices by John Fraser, Betty Simkins, Kristina Narvaez.