Covid’s most important lesson about risk management
29 April 2020
We’ve been speaking with Ideagen customers about their response to COVID-19: to seek insights about what they have done as risk management and corporate governance professionals, learning how they are using our software applications to maintain resilience in this unprecedented moment. An unexpected (yet obvious when you think about it) insight has emerged: operational resilience varies with how fast an organisation can learn. The insight is that absorptive capacity is vitally differentiating in a crisis.
Absorptive capacity is defined by Cohen and Levinthal as "A firm's ability to recognize the value of new information, assimilate it, and apply it to commercial ends." This is critical in determining the effectiveness of an organisation’s response to an unquantifiable risk event like coronavirus.
“The very definition of 'emergency' is that it is unexpected, therefore it is not going to happen the way you are planning.” Eisenhower.
Defining a pandemic
A pandemic is a large unquantifiable operational risk like an act of war, an environmental calamity or other incidents of force majeure. The inevitability of a pandemic has been well signposted for years (see Bill Gates’ famous Ted Talk on the subject, for instance), just as the financial crash of 2008 was inevitable and had been flagged well in advance by Joe Stiglitz and others. These are risk events that are:
• Not quantifiable because we don’t know exactly how big the damage will be, nor when it will strike, nor where it will strike. Something evil this way comes, but we don’t know much else beyond that.
• Yet we do know that they are as inevitable as global warming, so they will strike, we just don’t know when.
• They are a tragedy of the commons in many cases because no authority, organisation or individual owns ultimate responsibility for preventive control management.
Preparing for the unexpected
It seems improbable that any organisation could be prepared for such an event, right? Well, this isn’t entirely true. Good risk management means being prepared for the unexpected, whatever that turns out to be. And that is the very essence of absorptive capacity. The benefit of risk management knowledge, discipline and processes already existing in an organisation prepares it for any risk event, even a completely un-modeled scenario. How does this work?
Absorptive capacity in relation to a large unquantifiable risk event is the sum of:
• Existing governance and risk management processes and systems that are already up and running and “well oiled”
• Skilled risk-management professionals working in concert with a proactive board
• Risk management tools and methods that are well understood and can be used immediately to address the unexpected
For example, one of our customers has a risk management process and structure that consists of several dozen risk registers (held in Pentana Risk), each of which ‘belongs’ to a business risk owner. These key risks are governed by several risk committees each of which is chaired by a board member. The process is run by a small team of risk professionals led by a CRO, with whom I spoke earlier in April. Their story illustrates the importance of absorptive capacity.
This organisation had never modelled a macroeconomic risk event like a global pandemic that included the following consequences, amongst others:
• No possibility of fail-over to another location
• Mass home working by front line staff
They had always thought that if a site was affected by a big risk event, then they could fail over to another location in the same country or, at worst, internationally. That is, if London goes down, we can work from Birmingham; if the UK goes down, we can work from the US and so forth. There was no scenario planned for an event that meant every site around the world had to close its doors.
So, what did they do?
The role of risk management software
First of all, because they had those risk structures (specialists, risk owners, risk committees and risk committee chairs) and processes, they were geared to be sensitive to risk and so, very early in the COVID risk event they adapted a Terrorist Act risk in order to help model and mitigate this new scenario. This led to an action plan being in place by early February that, amongst other things, enabled them to identify the need to procure the remote working equipment (thousands of laptops!) they would need for their staff to work at home.
Absorptive capacity leads to sensitivity and rapid understanding of a new landscape. This is our old friend, the number one rule of strategy: understand what is going on. This leads to rapid contingency planning, decisiveness and greater damage limitation. In order to achieve this, you need to have mature risk management business processes in place. There is no other way.
I’ve been relieved to learn that the majority of our Pentana customers have added COVID to their risk registers and are tracking on a daily basis. Many are using the Action Management capability to manage their Continuity plans, and, of course, Incident Management to respond to problems caused by this bad situation. Many customers are also using PleaseReview to facilitate collaborative working.
My number one takeaway from this? Risk management software, processes and systems are proving their value as I’ve never seen before on such a scale, above all because they create absorptive capacity in their organisations that allows agility, adaptation and responsiveness.
To discuss how we can help your organisation with risk management and strengthen governance and risk processes, contact us today.