by David Vose
As I write this, companies are understandably focusing on the immediate struggle with Covid-19. If we are lucky, in a couple of months’ time, the pandemic will have subsided, although it will remain an ever-present threat until we have vaccinated our world’s populations. Then we will be living in a very different world. Some of the challenges we will face will be the temporary teething problems of restarting and rebuilding. Other challenges will be adapting to new, more permanent realities.
The companies that have planned ahead to manage the risks and uncertainty that will arise from Covid-19 will undeniably prosper more than those that have only focused on crisis management.
When the dust settles, we will be faced with a stark new reality full of risks and uncertainty that were only vaguely on our radar a few months ago. Those old risk registers we had will seem rather quaint – a reminder of a world that was far more predictable than we face now. Coddled by the predictability of the last ten years, we are not used to contemplate the level of uncertainty in what lies ahead. But Covid-19 has taught us a few lessons – that we need to think more broadly, more collectively, take risk more seriously and stop denigrating those that warn us of possible unpleasant futures. Hopefully, Covid-19 has been a lesson in humility.
Developing the new risk management strategies
We need to have a more holistic, more creative, less process-oriented view of risk management. Regulators have long required that public companies report their risks – and companies, feeling they were forced to comply, dutifully reported them as a bureaucratic task to be fulfilled rather than a business tool, missing the point entirely. GRC tools share some of the blame in promoting that way of thinking: Governance, Risk management and Compliance were all turned into box-ticking exercises in a software tool, rather than a set of valuable business practices.
A very powerful method to begin planning your new risk management strategy is to consider the drivers (threats) that you will be faced with, the risk events that they generate, and the consequences that those risks will produce. The terms deserve some explanation:
- Risk events represent the point at which you have lost control. From that point on, you are in damage limitation mode;
- Drivers are those factors that would bring about the risk event; and
- Consequences are the undesirable outcomes of a risk event
Drivers, risks and consequences are all events – meaning definable and observable, and these events can, and often do, change role. For example, a consequence can become a risk event driving another consequence, etc. That all seems very theoretical, so let’s look at an example:
During the Covid-19 crisis, Client A may go bankrupt, or perhaps they survive the immediate crisis, but succumb eventually to the damage they sustained. This is a driver. If they go bankrupt, they default on the money they owe you (the risk event) with the consequence that you lose the money owed. But perhaps we can do something about this. We could try to help them by sending them new clients. That could improve their financial position and reduce the chance that they will default. This action, reducing the chance of the risk event occurring, is called a control. We could also get an upfront settlement of say half the money which would reduce the impact. This action, reducing the size of the impact, is called a mitigation.
Client A going bankrupt could drive another risk – that the equipment we have at their site gets impounded when they go bankrupt, and as a result we can’t execute another contract. The risks are interlinked:
In the post Covid-10 world we are about to face, there will be many risks that we have not thought about before, and they will require all kinds of new and different actions to control and mitigate them. It will be a challenging task to get our head around them, and an even greater challenge to coordinate all the activities that will be needed to ensure the risk treatment plans are actually put in place.
This will not be done by one risk manager with a spreadsheet risk register and a heat map. The interactions, shared controls and mitigations, are numerous and one cannot hope to represent them in a spreadsheet. It requires an Enterprise Risk Management system with the analytical tools to prioritise risk treatment actions, as well as the operational tools to assign and monitor them. Some risks are most conveniently described and analysed in diagrams like the ones above, others will require simulation models. You will need to be able to incorporate cashflow risk models, project schedule risk, and other types of analysis – all sharing the same risk information – to develop the most effective strategy. The Pelican ERM tool offers the necessary range of capabilities in one integrated package. It can also be up and running in a couple of weeks, saving you very precious time.
Identifying the new risks
You will need a method to identify the risks to focus on. I recommend you take two approaches. The first is strategic – consider the set of consequences that would derail the new, post Covid-19 strategy for your business, and then think about the risks that could produce each of those consequences.
That will get you some of the way to a risk management plan, but often it is not a single risk that will derail the tactics for achieving a strategic goal – it is a combination or an aggregation. For example, if the business suffered several fairly large financial losses, the cumulative impact could mean it no longer has enough cash to execute its strategy.
So, we also need to take a second approach and look from the bottom up. The most intuitive and practical way to do that is to consider the drivers, and then ask yourself what risks they might generate. Here are some driver examples:
- Morale of key staff (after loss of loved ones, financial stress) and change in expectations
- Reputation of the business from the way it handled the crisis
- Bankruptcy of Client A, Supplier B, Contractor C
- Unavailability of Contractor D on project X restart
- Unavailability of materials E on project restart
- Project F delay
- Increased cost of materials G as demand spikes on restart
- Validity of force majeure claim of Covid-19 interruption for Contract H and coverage window
- Coverage limits of insurance under Covid-19
- Currency exchange rate changes
- Change and volatility of energy price
- Limited international movement of people
- Change in cost of transport of materials and people
- Consumer migration to online purchasing
- Excess stock of materials J (yours or suppliers)
- Changes in influence of different nations and how they trade
- Increased taxes to cover bailouts
- Change in political views of citizens
- Change in customers’ values
- Availability and cost of debt
You will no doubt think of many more.
How we can help
We can get you set up with Pelican in a matter of days, and then train your team how to use Pelican, how to think about the risks you face and the strategies for managing them.
You can watch a video demo of Pelican here.
For a discussion of cost (which is blessedly low), how to get started, or for general help in developing your risk management strategy, you can contact me, David Vose, via LinkedIn or email our sales team at email@example.com.