• Enterprise Risk Management Teams are Most Focused on Assessing the Impact of COVID-19 on Operations and Controls
While many organizations had included a potential pandemic as one of their top risks, few anticipated the severity of COVID-19’s impact to their operations and health of the business. ERM teams report that crisis management generally has been successful in terms of keeping employees safe and moving to a work from home environment, but organizations are struggling to manage the downstream effects of the crisis, such as disruptions in their supply chain, additional productivity-related concerns, and other third-party considerations.
ERM teams are speaking with risk owners to determine how the risks they own have changed and if their mitigations are effective. “Audit and risk leaders need to distil this information and use it to focus discussions with the board and senior leadership around the near-term business impact of these risks to ensure the enterprise response is updated to reflect the current environment,” said Mr. Herd.
Immediate Actions
The tactical measures that most ERM leaders are taking immediately are:
• Updating risk assessments to account for changes in risks such as third party, supply chain and cybersecurity, and ability to execute remotely
• Working with senior leaders to ensure the organization does not adopt a disproportionately risk averse posture
• Working with senior management to ensure cost optimization decisions account for risk and potential impact
• Updating communications to the board and management with specific risk-based insights surrounding near-term COVID-19 impact and recommended actions steps
Lessons Learned
Another way the ERM team should seek to demonstrate value and leadership during this crisis is by liaising with the numerous teams managing different aspects of the crisis.
“ERM should use its unique position having an enterprise-wide purview to extract lessons learned from the teams involved in managing the crisis,” said Mr. Herd. “These lessons include understanding the efficacy of business continuity and crisis management plans, interdependencies, and emerging risk sensing and assessment practices.