Risk management in a post COVID-19 world
Alastair Goddin, Head of Risk at Asta Capital Limited, reflects upon risk management in organisations in the light of the COVID-19 pandemic. He considers what has changed and what has not changed and what lessons can be learned in the immediate term.
The maturing risk management function
The experience of recent events has been different from that of the global financial crisis of 2008 / 2009. It has demonstrated that risk management teams are now an important part of many organisations. Whilst at the time of the global financial crisis there was criticism that risk management teams were not as embedded as they should have been in organisations, the recent events have demonstrated that teams now are more aligned with the organisation’s strategy. The speed of response has been significantly quicker and the depth of these responses greater. Board members and non-executives have been very keen on understanding the perspective that risk management has to offer in dealing with these current challenges.
During this time, we have seen a rigorous testing of several assumptions that we made in the past. That remote working is possible. That continuity plans that were tested each year were effective.
There have been other risks that have been reappraised. For example, our people risk where the scale of the impact both emotionally and logistically has been significant. Whilst we may be developing a way of working from home there are risks, for example, that saved commuting time may be replaced by increased working time. Organisations need to consider the longer-term implications on working environments and office space. Flexible working can change where we access talent from and how we,
as a society, address issues around housing.
Developing scenarios
The primary role of risk management in circumstances such as these is to provide a range of scenarios that can be evaluated. One example might be the scenario around the availability of a vaccine. Risk management cannot predict when this will happen, but it can appraise scenarios of people are able to resume working in an office environment as opposed to working from home, including the risks associated with the use of public transport and a safe office-working environment in the absence of a vaccine. Clearly, for a city such as London, there will be substantial barriers to returning to the office whilst there is a need to maintain social distancing. What is the business impact of this if employees remain working at home for an extended period? What new risks are we introducing, what new opportunities are we creating?
The economic impacts of the pandemic are another consideration. We have seen volatility in exchange rates and equity markets are heavily down. What is the impact on investment portfolios or the access to capital, for example?
Since the financial crisis we have spoken about larger scale events. The term Black Swan has become one in increasing public use. You need to consider these extreme events and they are not new. As an example, and considering this current pandemic, we have had viruses with high transmission rates and viruses with high mortality rates. What makes this current situation with Covid-19 different is that it is a combination of the two. Should we have foreseen that this could occur, probably, but we could not have predicted when. What we need to learn from this is that it is the combination of factors that we need to consider. We should always be mindful of the combination of circumstances that might occur when developing our risk assessments.
Remember other business risks
In another example of this correlation effect, cyber risk remains prevalent. Indeed, some cyber threat actors are taking advantage of the new ways of remote working to expose that risk. Whereas before we could have reached across to a colleague to ask if the email looked unusual, now we must make that judgement ourselves. The profile of the traditional business risks has altered because of our changed circumstances. We should not ignore those risks that we have already identified, but we need to reappraise them and consider new risks that are emerging.
Conclusion
In conclusion, there are three points to think about in our recent experiences.
Firstly, that there is a clear value and importance in risk management. It is an interesting place for ACCA members to work.
Secondly, at the heart of risk management is scenario planning. Helping the organisation to understand what might happen. You cannot say what will happen, but you can explore what might. In every scenario there is an upside to risk and boards need to be able to consider the potential opportunities as well as the threats.
Thirdly reappraise your assessments. The extreme events can happen, and it is not always expected business risks that arise. It is surprising how resilient society can be and there are always potential benefits to explore.
Alastair was in conversation with Jamie Lyon, Portfolio Lead, ACCA and Clive Webb, Head of Business Management, ACCA. This article has been published with their kind permission.
Alastair Goddin joined Asta in June 2019 as Head of Risk with responsibility for the maintenance and development of the risk frameworks across Asta and its clients, including risk reporting, internal model validation and the Own Risk and Solvency Assessments.
Alastair joined Asta from Willis Towers Watson where he was Regulatory Capital Director with responsibility for the regulatory capital assessments across the Group. He has previously been Head of Risk at Hiscox and Omega.
Alastair is a member of the ACCA Global Accountants for Business Forum and was previously a member of the ACCA Financial Services Panel, Chairing and speaking at events covering Solvency II, risk management and corporate governance.