Rethinking Risk in a Post-Pandemic World
The COVID-19 pandemic has caused organizations to make enormous operational changes that have impacted resiliency, created new cyberrisks and upended business models. Organizations now face a radical shift in risk management and many are working to understand the new and unknown risks before them.
As companies struggled to adapt quickly, the pandemic revealed three common areas of weakness: 1) governance and risk oversight, 2) business resilience, and 3) cyberrisk management. Organizations without a formal risk governance structure found it difficult to fully comprehend how changes in one business unit could cause unforeseen risks in others. Companies without a formal resiliency plan made decisions “in the dark,” and the lack of a centralized strategy impeded agility when it was needed most.
Organizations need to find a better path forward and there is no time to waste. According to a report by trade credit and surety insurer Atradius, 26% of corporations worldwide will be insolvent by the end of 2020.
Companies that want to be better prepared in 2021 and beyond need to rethink their risk management strategies, anticipate operational shifts and plan how to remain resilient, and evaluate associated cybersecurity risks to ensure the organization can withstand any shutdowns or major attacks. By adopting a more enterprise-wide approach, risk managers can serve as the catalyst within the organization to bring business units together to assess risks and discuss and develop the resiliency plans required.
Governance, business resilience and cyberrisk management are like three legs of a stool—without one, operations or even the entire company can fall. Developing competencies in each area will become a competitive edge as corporations try to move forward into the new year.
Governance and the Role of the Risk Manager
In the lingering COVID environment, it is imperative that organizations quickly assess lessons from 2020, identify the most impactful risks, and plan for new, unknown risks. This will require organizations to elevate the risk manager’s role and devote more attention to the board and senior management team’s risk governance.
Risk governance necessarily involves the executive team as well as the board of directors, and requires a governance framework that identifies the key risks this team needs to monitor. The financial health of a company, the safety of its personnel, and its ability to be agile and sustain critical operations all depend on good risk management strategies and resiliency plans.
Ideally, organizations should consider establishing a C-level or other top executive role for risk management. This would enable risk officers to more fully engage in executive- and board-level discussions to ensure that they have a full understanding of operations and associated risks, interact equally with business-unit leaders to manage risks across the organization, and develop more mature risk strategies for board-level review.
Risk professionals can do some of this work themselves by making an effort to operate across different business units to develop greater visibility, but by placing the risk manager in an elevated position, organizations enable them to more easily take the necessary enterprise view of the company’s risks. This allows the risk manager to better identify critical risks that could have a major impact to their operations or business; prioritize and quantify risks; determine the company’s risk tolerance; work with the business units and executives to mitigate risks; ensure appropriate testing is done; develop risk transfer plans; and provide risk reporting at the appropriate level.
Creating a More Resilient Business
Business resiliency includes the broad umbrella of crisis management, business continuity planning and disaster recovery, including data backup and restoration. Business resiliency plans help executive teams and operational personnel appropriately adjust business operations and strategies as necessary during emergencies or events that require rapid operational changes.
Although companies were warned years in advance that a global pandemic was possible, very few developed resiliency plans that prepared them for the virus. Many companies did not have a uniform approach to communicating about critical decisions or operational changes, both internally and externally. Their decision-making lagged, and at least in the early stages of the pandemic, caused major operational disruptions. Cybersecurity risk management was an afterthought. Many companies struggled with managing remote work and new ways of operating. The lesson for 2021 and beyond is that companies can no longer put off managing risks to resilience.
The coronavirus can be viewed as an asymmetrical threat or unfortunate circumstance, but it should not be considered a “one-off” event. It is important that organizations plan for anything that might negatively impact their operations or bottom line. Companies that have an enterprise-wide business resiliency plan in place will have a competitive advantage in the marketplace and stand a much better chance of staying in business.
Business resiliency plans should: identify dependencies among business units, including business continuity plans and communication strategies; identify potential impacts to critical operations (including from third parties, partners and customers); and incorporate cybersecurity requirements. Testing of the resiliency plan should be end-to-end and reports should be provided to business leaders, senior management and the board.
Business resiliency plans are important because they ensure the company can pivot quickly, be agile during a crisis and remain competitive. It is critical to remember that your customers expect you to be up and running regardless of what happens. Of course, workplace operations will not be the same post-COVID, and how companies remotely manage their workforce (both internal and contingent) matters for getting back up and running quickly.
Given the extent of organizations’ dependence on technology, IT infrastructure merits specific attention in these plans. Technical disruptions can wreak havoc, destroy brands, result in regulatory fines and lawsuits, and significantly impact market share, so factoring technology into resiliency plans can be a make-or-break differentiator.
Improving Cyberrisk Management
Most operational changes have associated cyberrisks. The pandemic created an opportunity for cybercriminals who found data centers and security operations centers unmanned, personnel operating remotely (often in an unsecure manner), corporate data transferred to online storage, and an increasingly vulnerable workforce. Barely a month into the lockdown, the FBI reported a 400% increase in cyberattacks compared with the pre-COVID period, and an increase in cyber espionage by nation states. When IT and cybersecurity personnel are not physically onsite and personnel are operating from home on personal computers, it impacts the company’s ability to respond to cyber incidents.
Cyberrisk management involves maintaining an enterprise security program that aligns with best practices and standards and keeps up with operational changes and the current threat environment. Cybersecurity programs involve numerous activities that must be performed on an ongoing basis and reviewed regularly to ensure they keep pace with the evolving threat landscape.
Large companies should perform cyberrisk assessments annually, and small- to mid-sized businesses should perform them at least every two or three years. When a crisis occurs, IT and cybersecurity teams should be part of planning any required operational changes. Modeling can be used to “dry run” proposed changes and detect unintended consequences, including cyber-related risks. Assessments based on the new environment and testing of incident response and backup and recovery plans can help identify potential cyberrisks and flag those areas of the cybersecurity program that must be changed to keep important risk controls in place and ensure recovery of systems.
Too often, however, CISOs and CIOs are not included in decisions regarding operational changes. To be effective, it is necessary to ensure the enterprise security program keeps pace with operational changes, the cybersecurity team works closely with risk management, and backup and recovery plans fit the new threat environment.
Reprinted with permission from Risk Management Magazine. Copyright Risk and Insurance Management Society, Inc. All rights reserved.
Written by Jody R. Westby and Leslie Lamb, 2020