Aon | Professional Services Practice
Release Date: February 2021
5 risk management lessons from the COVID-19 pandemic
What lessons can professional service firms draw from recent events to enhance the practice of risk management?
Daniel Defoe’s, A Journal of the Plague Year, concerning the Great Plague of 1665, illustrates that history has many lessons to teach us about pandemics.
“And here I must observe again, that this necessity of going out of our houses to buy provisions was in a great measure the ruin of the whole city; for the people catched the distemper, on these occasions, one of another.”
A global pandemic has been considered a remote but plausible catastrophic risk. The World Health Organization estimated a pandemic could affect 20-50% of the world’s populationⅰ. Contrary to some views therefore, this should not be characterized as a Black Swan, which is an unforeseeable event with unknown consequences. The unknown and unexpected elements were the global and continuing effects.
1. Low probability events require preparation
There is a tendency to discount low probability events even if the consequences could be severe. The pandemic was initially underestimated. Very few organizations would have had specific plans in place, but with the help of technology, many businesses adapted. In fact, continuity, crisis management and incident response plans allowed organizations to respond and continue operating.
Allocating time for thinking about more remote risks and utilizing tools such as scenario planning can help to address these challenges. That may serve to extend the scope of crisis and continuity plans.ⅱ
2. There is a period of opportunity to get a crisis under control
There is a cycle of understanding, responding and planning. Honesty about the facts and good communication are amongst the basics of effective crisis leadership. Organizations that dealt well with COVID-19 understood the key interrelationships and dependencies within the business.
One key objective in crisis management is to avoid re-occurring cycles. A clear sense of purpose coupled with dynamic contingency planning will be required to manage through the phases that we will face. This will require a strong continuing narrative around the key issues.
3. Existing vulnerabilities are exposed
The most obvious example would be the cyber exposure created by large-scale shift to remote working. Ransomware attackers notoriously sought to attack this vulnerability. Complex supply chains are now riskier and in many industries are being re-thought, not least because of concerns around brand and reputation and geopolitical risks.ⅲ
Technology was also the savior. There is now a strong focus on investing in data security, automation and digital technology. Compliance and technical support issues are continuing challenges as working from home becomes more prevalent than in the previous norm.
4. Integrated risk management is vital
The pandemic has exposed the limitations of silos and narrow definitions of risk managementⅳ. The construction of a broader risk radar outside of traditional operational and hazard risks should have captured the possibility of a pandemic, although not perhaps the full-scale of what we have experienced. Monitoring the landscape, developing scenarios and studying near misses would allow emerging risks to be better understood.
An integrated approach with high levels of collaboration is therefore vital, as demonstrated by successful cyber security procedures and incident response plans.
5. Decision making and avoiding bias
Complexity is increasing. The risks posed by behavioral and cultural dynamics can undermine effective decision making in all stages of a crisis. Common biases can impede the crisis response: these include confirmation, recency and optimism biases.ⅴ
Bias is inevitable, but we need to be aware of its existence in order to make rational decisions. Social psychology and systems theory are close allies of risk management. Their techniques can be used to explore underlying conditions and causes, identify risks with relevant data, and importantly to explore risk interdependencies.ⅵ
The volatile, uncertain, complex, and ambiguous (VUCA) environment virtually guarantees that the next crisis will not be any more predictable than any others have been during the past few decadesⅶ. In the future more attention will have to be paid to external risks. While some of these risks may be outside of the direct control of the organization, their consequences may not be.
ⅰ Smil, Vaclav, Global Catastrophes and Trends, (2008), pages 46-47 for discussion on predictability and consequences of a global pandemic.
ⅱ See Commercial Risk, September 25th, 2020, Risk management lessons must be learnt from COVID-19 crisis, by Ben Norris. Article gives views of many prominent risk managers.
ⅲSupply chain risk management is back, McKinsey & Company, January 2020. This provides an excellent overview of the sources and impacts of supply chain risks.
ⅳSee Commercial Risk
ⅴPandemics have now become the No. 1 risk in many surveys. See the recent Global Risks Report 2021 from WEF for good discussion with classifications for probability and severity
ⅵSee Stroh, David Peter, Systems Thinking for Social Change, (2015) as good practical introduction to systems thinking. Also, for 11 page concise discussion, Application of systems thinking to risk management, Diana White, available by download.
ⅶWhat VUCA Really Means for You, HBR, Jan-Feb, 2014.
To discuss any of the topics raised in this article, please contact Keith Tracey.