COVID-19 has fundamentally changed the way business is conducted. Now more than ever, such a rare, unanticipated Black Swan event underscores the importance of risk management.
Across organizations, the discussion of risk is being elevated and has gained C-suite attention. According to 2020 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, a joint report by North Carolina State’s Enterprise Risk Management Initiative and the American Institute of CPAs, 42% of respondent organizations designated a Chief Risk Officer (CRO), a 10% increase from 5 years ago. Though the practice is particularly prevalent in the financial services industry, the report noted that even among non-profits, 39% reported designating a CRO or equivalent.
Every organization, regardless of its size, should understand its risk profile as well as its vulnerabilities. By doing so, it is able to develop strategies and protocols in advance of, rather than concurrent with, or worse, subsequent to, the occurrence of a destabilizing event.
One of the critical things that organizations, including small and medium-sized companies as well as non-profits, can do is establish a risk committee to examine enterprise-wide risk. Each member on the committee should represent a key functional area of the business: operations, finance, talent/human resources, information technology, marketing, and so forth. The composition of the committee, by necessity, will vary by industry. For example, an investment management firm might also include trading, portfolio management, and compliance team members as part of the committee. The ultimate objective is that the committee represents the essential functions of the business.
The responsibilities of the risk committee include:
1. Identifying Risks
Risks vary by industry and each member of the committee should be uniquely qualified to address the potential risks in their respective areas. For a small domestic pharmaceutical manufacturer subject to FDA regulations, one potential risk is drug contamination whereas for a company with international operations, it may be bribery and running afoul of the Foreign Corrupt Practices Act. The point is to develop a comprehensive risk profile of the organization from as many different functional perspectives as possible.
2. Assessing/Prioritizing Risks
Not all risks are created equal. For each risk, the committee should assess the likelihood of the risk occurring as well as the severity of the risk should it occur. Then, the committee can assign a risk rating. Risk ratings are a reflection of an organization’s risk tolerance and risk tolerance is driven by an institution’s culture. Some organizations, by virtue of their culture, have a greater appetite for risk than others. How risks are perceived and prioritized is a window to an organization’s cultural mindset.
3. Managing/Mitigating Risks
It is important to recognize that just as organizations have different risk tolerances, how companies choose to manage risks will also vary. Some risks are deemed relatively low level and the committee may recommend that senior management accept the risk as a cost of doing business. Other risks, such as the cost of complying with the provisions of the E.U.’s General Data Protection Rule (GDPR), particularly, if there is a data breach, may simply be too high, and as a result, the business decision could be to exit the E.U. Finally, other risks require mitigation strategies which is why the collective institutional knowledge of the committee members is critical. For example, a retail business handling personal data may decide that one potential recommended mitigation strategy is the acquisition of cyber liability insurance; a discussion on the committee that involves operations, finance and IT.
4. Monitoring Risks
Risks are not static. They are evolving, driven by a host of externalities: regulations, geo-political events, the economy, etc. Each organization is different and its industry and culture will dictate the frequency of risk committee meetings, whether quarterly or monthly, in order to best protect itself should a crisis occur.
The pandemic exposed our vulnerabilities on a number of different levels. A risk assessment cannot contemplate every risk, particularly disruptive Black Swan events, like COVID-19. However, risk committees serve a vital function by thinking collaboratively and critically, developing protocols and formulating solutions to manage and mitigate organizational risks, which ultimately buffers the organization itself and those who bring it to life.