An opaque business and risk environment is perhaps one of the few certainties for the months ahead given the combined effects of COVID-19, the global recession, extreme weather, deep-seated social unrest, and an increasingly polarized America. It also points to the critical importance of having robust enterprise risk management (ERM) processes that are closely linked to crisis preparedness and resilience.
To that end, many lead directors are asking what lessons can be learned from recent events? In our discussions with lead directors, two points have come up consistently.
First, even before the events of 2020, companies and boards were dealing with an increasingly complex business and risk environment. The challenges of technology and business model disruption, cybersecurity, investor scrutiny, regulatory and political uncertainty, and geopolitical risk prompted a sharper focus on the issues that are most critical to a company’s success and long-term value creation—such as competitive disruption and other strategic risks, capital allocation, performance, leadership, and human capital management.
Second, many lead directors note that it is critical to take a fresh look at the company’s ERM processes and changing risk profile to assess whether crisis plans are closely linked to the company’s critical risks.
That in mind, there are a few key questions to consider.
Does the company have a complete inventory of its critical risks? COVID-19 has surfaced a range of risks, from employee and customer health and safety and managing remote workforces to the acceleration of digital transformation, changing customer demands, and supply chain vulnerabilities. Extreme weather events also illustrate the risks that climate change poses to companies, supply chains, customers, and society at large. COVID-19 and social unrest have cast a bright light on a host of environmental, social, and governance risks that should be front and center for boards and business leaders, particularly social issues, including employee well-being, pay equity, racial and gender diversity, human rights, and corporate commitments to stakeholders.
Are crisis readiness plans linked to risk management and are we prepared for a worst-case scenario? Even the best ERM process isn’t going to prevent or mitigate every crisis, so companies need to have a response plan in place and focus on resilience. Identifying likely crisis scenarios and practicing responses using tabletop exercises is imperative. Prepare for the worst-case scenarios, e.g., extended periods of supply chain disruption, substantial sustained declines in sales and revenue, and the loss of key personnel—with the goal of keeping the business running despite disaster.
Does the board’s existing committee structure bring the right focus to the company’s risks and crisis readiness? Assess whether each committee’s risk oversight responsibilities are clear and if the allocation of responsibilities still makes sense in light of the changing environment. While boards may be reluctant to establish another committee, consider whether a finance, technology, risk, sustainability, or other committee would improve the board’s oversight effectiveness.
Do the company’s risk management activities result in a consistent, enterprise-wide view of the top risks? The board and management should align on what the company’s top five risks are and how they should be addressed. In addition, ensure that everyone from the C-suite to rank-and-file employees understand which risks pose the most significant threats to the company’s reputation and that the company’s culture promotes a clear risk philosophy to guide employees’ behaviors and decision-making.
The crises of 2020 have been wake-up calls to take a fresh look at the company’s ERM processes, crisis readiness, and risk mindset. The road ahead is likely to remain opaque and rife with potentially greater crises, some unexpected, and others already visible on the horizon.