ERM 2021: Best Practices

When the pandemic was announced, a lot of companies went into a tailspin. Even banks – which are usually well attuned to risks in their environment – were stunned at its magnitude, and the devastating global impact that it had in such a short time. But this should not have been the case. The World Economic Forum usually polls executives worldwide on the events that can affect business substantially, and a pandemic has always been classified “medium probability, high impact.” So why was this pandemic so disruptive? With hindsight, it is apparent that experts and market watchers grossly underestimated the event and its scale.

Things will be unsettled for a while yet
As a result, everything connected with effective risk mitigation has to be viewed within the context of the pandemic. Because the scale of a pandemic is many times that of an epidemic (like the Ebola virus, for instance), companies initially found it difficult to come to grips with. However, some have successfully transitioned to what is now increasingly referred to as the New Normal. The business environment is still in a state of flux, and while it is good to be able to manage matters in the New Normal, firms that can predict or anticipate what may happen in the near future – and orient themselves accordingly – will be better prepared for the next stage, i.e., the Next Normal.

“It’s all about protecting lives and livelihoods,” said Ramesh Pillai, Chairman of the IERP’s Board of Governors, at a recent online event. “We are living in a time of uncertainty, flux and disruption. We need to protect lives to protect livelihoods but this cannot be done until people are comfortable with going out and working.” Adding that estimates point to normal economic activity resuming by no earlier than the end of Q1 2022 or mid-2022, he said that timeframes differ by location, and working from home (WFH) will still be necessary as physical distancing was acknowledged as one of the ways of curbing the spread of infection.

New ways of working, new risks
However, the increase in WFH will drive a parallel increase in cyberattacks which are expected to become more destructive. There is also pressure from regulators, sustainability initiatives and climate change programmes to consider in tandem with the impact from and response to the Covid-19 issue. Complicating the matter further was the attitude of many organisations towards the risk management function; there is always the tendency to view it as a cost, rather than a value-creating centre. This often makes it difficult to rationalise spending on ERM. Risk professionals should therefore concentrate on building up staff competency, capability and the credibility of the function.

“Beef up the muscle of the ERM function and team,” he advised, suggesting that better use of automation could be applied towards this. There also tends to be a lack of understanding that the second and third lines of defence need to be split even at Board level, to ensure that the organisation has all its bases covered when it comes to protection. This refers to the separation and splitting of the Board Risk and Board Audit Committees. The Aligned Assurance approach ensures that the second line of defence is in constant communication with the first line, and collaborates with the first line. Together with Risk Coordination, Aligned Assurance focuses on compliance and alignment when carrying out the compliance function.

He cautioned that companies now do a lot of work with third parties and are thus exposed to more risk – increasing the areas of risk that need to be managed. Risks change constantly; the organisation’s risk appetite needs to be dynamic as well. Constant updating is necessary, following changes in its situation or the business environment. Because of the pandemic, the emphasis on ERM was increasing among many companies. “Smart, forward-looking companies are realising that there is more to be gained from ERM practices,” he said. Companies were also beginning to prioritise agility and the ability to pivot, in tandem with the growth of their online presence.

The pace of digitisation has speeded up significantly. What would have taken a firm four or five years to achieve digitally, has now been achieved within the space of a year or less. This has added to the need to make digital signatures and communication more secure, thereby challenging the processes that are required to improve them. Organisations are being spurred into seriously thinking about what the next reality is likely to be, and working out what they can do in anticipation of it. One way is to extend best-practice ERM principles throughout the corporate ecosystem and make it part of the organisation’s DNA.

As the pandemic persists and spreads, disruptions to the supply chain can be expected to continue as different parts of the globe experience different kinds of infection at varying levels. Logistics problems will extend to backlogs in shipping and delivery; third party vendors therefore need to also be monitored through vigorous due diligence. Companies will have to know what their suppliers’ plans are, in order to make contingency plans of their own. Tying all these together is the rising criticality of data – its availability, integrity and accurate analysis, as the lifeblood of the firm. The risks affecting data should therefore be an organisational priority.

Data collected from careful monitoring across the digital environment will go a long way towards helping organisations formulate mitigative measures, moving forward. It is capable of keeping key stakeholders abreast of organisational developments, and the firm’s response to business challenges. The growing digitisation of businesses, will spur the need for greater incorporation of technology into the risk function; ERM technology spend is expected to rise in 2021 as firms recognise the need to digitise the risk management process, and realise that they will have to deal increasingly with technology to sustain their resilience.

The pandemic has demonstrated that impactful events and the disruption resulting from these, inevitably come in waves. When these waves engulf the environment, firms will be affected but it need not be a struggle. Organisations will need to be aware that risks will change as well, and make adjustments in the way they respond. Together with mitigative measures, they will have to make mindset changes that will support them as they return, not to business as usual, but to a business environment of increased volatility.