Reconsidering Risk in a Post-Pandemic World – The Changes and Challenges

Introduction

Over the past year, the business activities have become much more uncertain due to protracted precarious and confusion in pandemic response approaches, the challenges of vaccine rollouts and emerging virus variants – and spill over effects into other risks. Organisations have had to manage dual economic and health crises, which have driven new employee and customer engagement protocols, remote working on an unprecedented scale, the re-manufacturing of supply chains and various shut down.

These long-term risk outlook have businesses wondering how to prepare for what may take place ahead. Foremost on their mind is their survival and building resilience. And not only in relation to ongoing pandemic impacts and their competitive positioning, but also recently unleashed cyber-attacks, catastrophic climate events and social unrest that demands workplace and community change.

1. Disruption is an endless excursion

Industries are facing disruptions from all sides. As organisations struggled to adapt quickly, the pandemic revealed three common areas of weakness:  governance and risk oversight, business resilience, and cyber-risk management. Organisations without a formal business resilience structure found it difficult to fully comprehend how changes in one business unit could cause unforeseen risks in others.

Organisations that want to be better prepared in 2023 and beyond need to rethink their risk management strategies, anticipate operational shifts and plan how to remain resilient, and evaluate associated cybersecurity risks to ensure the organisation can withstand any shutdowns or major attacks. By adopting a more enterprise-wide approach, risk managers can serve as the catalyst within the organisation to bring business units together to assess risks and discuss and develop the resiliency plans required.

Below is the rank of top risk taken from BCI Horizon Scan Report in 2022:

In the next 12 months, non-occupational disease remains as main concern of many organisations. While in the next 5 years, the research found that cyber-attack & data breach become top the risk and this is no surprise where numerous cases recorded in cyber-attack globally recently.

2. Governance and the Role of Risk Manager

In the remaining COVID-19 environment, it is crucial that organisations quickly assess lessons from 2020 which is to identify the most impactful risks as well as plan for unexpected risks. This will require organisations to further enhance the Risk Manager’s role and allocate more attention to the Board and Senior Management Team’s Risk Governance.

Risk functions and executive teams play leading roles in building a resilient organisation more than strategy teams. Organisations are advised to form a top executive role for risk management. This would enable risk officers to more fully engage in board-level discussions to ensure that they have a full understanding of associated risks.  However, risk managers have yet at the centre of resolving crises at all times. A better risk governance model is key for efficient and effective decision making and crisis management.

3. The “Challenges” of Risk Manager

By placing the risk manager in a critical position, organisations enable them to more easily take the necessary enterprise view of the organisation’s risks. Certainly, the biggest challenge risk professionals need to overcome is to convince the decision makers to allow risk views to be heard at the table and to invite risk manager to the decision. Most business processes involved in planning, forecasting, budgeting, decision making, or performance management have been inherently designed to ignore uncertainty. So, what risk managers need to be concerned about is how to get involved in important decisions and justify the time and effort required to perform risk analysis and to convince decision makers to use the outputs in their decisions.

Next, the current top challenges in risk management are ESG risks that include climate, social, and regulatory issues, ongoing concerns about the global supply chain, plus the never ended fraud, tech, and systems risks. Risk assessments need to go beyond a standard checklist. It is important to review the basics, but risk management must also suss out gaps and uncover information that teams are missing to determine what they don’t yet know. In the other hand, risk managers also need to ensure their risk assessment process takes into account steps to investigate and probe for the potential concerns they aren’t even aware of yet.

4. Creating More Resilient Business

Business resiliency includes the wide umbrella of business continuity, crisis management, disaster recovery and enterprise risk management. Business resiliency plans help the executive teams and operational personnel appropriately adjust organisation’s business operations and strategies as required during disasters or emergencies as they require rapid operational changes.

Although organisations were warned years in advance that a global pandemic was possible, very few developed resiliency plans that prepared them for the outbreak. Many organisations did not have an structured approach to communicating about critical decisions or operational changes, both internally and externally. Their decision-making lagged, especially during the beginning of the pandemic, caused major operational disruptions. Cybersecurity risk management was an afterthought when issues started to surface. Many struggled with managing remote working, communication, and new ways of operating. The lesson for 2020 and beyond is that organisations can no longer put off managing risks to create business resilience.

5. Improving cyber risk management

Most operational changes have associated cyber risks. The pandemic created an opportunity for cybercriminals who found data centres and security operations centres unmanned, personnel operating remotely, corporate data transferred to online storage, and an increasingly vulnerable workforce. Barely a month into the lockdown, the FBI reported a 400% increase in cyberattacks compared with the pre-COVID period, and an increase in cyber surveillance by nation states. When IT and cybersecurity personnel are not physically onsite and personnel are operating from home on personal computers, it impacts the organisation’s ability to respond to cyber incidents.

Cyber risk management involves maintaining an enterprise security program that aligns with best practices and standards and keeps up with operational changes and the current threat environment. Cybersecurity programs involve numerous activities that must be performed on an ongoing basis and reviewed regularly to ensure they keep pace with the evolving threat landscape.

Large organisations should perform cyber risk assessments annually, and small to mid-sized businesses should perform them at least every two or three years. When a crisis occurs, IT and cybersecurity teams should be part of planning any required operational changes.

    Conclusion

    In a nutshell, the pandemic has radically changed demand patterns for products and services across industries, while exposing points of fragility in global supply chains and service networks. In the future, risk management will expand to become more a part of the day-to-day culture within organisations. The challenges facing risk management and other areas of business due to the unexpected pitfalls of a global pandemic have shown companies across all industries how important it is to prepare for unexpected situations and to shore up business processes as much as possible. It’s critical to have risk identification, assessment, mitigation, and remediation efforts in place. If you are considering to review your risks or enhancing your business resilience in 2023 and need some advice, you may reach out to BCP Asia at www.bcpasia.com or drop us an email to: enquiry@bcpasia.com

    Written by: BCP Asia Consulting Team