Risk management is proactive, peering around corners to identify uncertainties that may impact the organization’s ability to achieve its objectives. Crisis management is reactive, marshaling resources to respond to a risk that has already manifested and requires immediate attention. Both require senior leadership engagement to be effective, but the roles and methods can be very different, and the chief risk officer (CRO) may be the best person to address both.
If CROs are typically focused on addressing how current exposures might impact future results, what is their role in the middle of a crisis, when a significant risk has already manifested? Many CROs have had to manage crises, but the current pandemic is pushing everyone into uncharted territory. The challenge (and opportunity) for CROs is to pursue actions that add value for their enterprises, both in the moment and for the long-term.
Immediate Crisis Management
Most organizations have established an all-hands-on-deck approach for their senior leadership teams to deal with the coronavirus outbreak, which is expected and appropriate. All aspects of organizational activity have been impacted, and all leaders have a role to play in dealing with the countless discrete challenges arising. But what should CRO’s focus be?
When leaders react in the moment there is often little time to assess the impact of decisions, and their actions to address the immediate crisis might create additional risks. Organizations do not have to wait for unintended consequences of well-intended decisions to manifest before addressing these kinds of collateral risks. CROs are skilled at anticipating these very kinds of outcomes. Having them intimately involved in these discussions provides a real-time forward-looking perspective on the known (or seemingly unknown) implications of these directives.
In some cases, the CRO’s insights might inform how the
decisions are carried out, to ensure that the initial objective is accomplished
in a manner that does not negatively impact some other part of the
organization. In other scenarios, management may continue down the original
path, but identify additional or alternative risk responses to decrease a vulnerability
that may otherwise be created. Moreover, management’s ability to articulate the
thoughtful, risk-informed process it followed in formulating its crisis response
could also pay significant dividends in the future. Identifying risks up-front
provides a record that may clarify real-time decisions to oversight or
regulatory bodies in subsequent audits or investigations.
CROs bring a different lens to crisis management, advising leadership on the risk-based implications of the rapid decisions that must be made. CROs can help anticipate unintended consequences, proactively plan for them, and maintain a record for the future—all without distracting from the immediate demands on management for timely action in the midst of a crisis.
Actions to Address Immediate Crises:
- Demonstrate to
senior leaders how a proactive risk-management lens can be an invaluable
component to crisis response.
- Commit to
assessing enterprise-level crisis response decisions for collateral
consequences across all risk types, including reputational risk.
- Provide feedback
to crisis response teams on potential risks their real-time decisions are creating,
as well as potential mitigations that might limit these exposures.
engage risk officers throughout the organization to monitor for emerging risks
resulting from crisis response decisions. Provide a simple, standard mechanism
to report emerging risks, as soon as they are identified, to the crisis
- Lead the effort
to document the crisis management team’s risk-based decisions, including the
decisions themselves, a straightforward risk-based rationale, and the nature of
any identified risks that are being accepted as a result. If feasible, place
these decisions in the context of the organization’s risk appetite. A simple,
standard form (stored in a central repository) can be used to enable easy
access during future reviews by auditors, regulators, or inspectors general.
Longer-Term Crisis Management
CROs are also uniquely suited for dealing with a crisis such
as the current pandemic by anticipating the risks to their organizations when
the crisis ebbs and it is time to ramp up normal operations. The vast majority
of the leadership team is almost exclusively focused on dealing with the
current organizational stresses from a vantage point of a few days or weeks. But
someone should be anticipating the challenges that may confront these
enterprises when the “all clear” is given and the competitive pressures of the
business world—or mission requirements in the public sector—are suddenly
subject to circumstances they never previously encountered.
Risks will likely manifest across the whole organization, including
operations, compliance, financial, human capital and even the very essence of
the enterprise. Strategies may need adjustments based on new market realities,
while internal operations and even organizational culture may require
modifications to maintain consistency with the organization’s mission, vision
and values. Each of these realities will introduce risks that were not evident
just a few weeks ago.
In many respects, operations will likely not be back to normal immediately. Organizations will encounter all manner of obstacles in their effort to return to normalcy. To avoid another kind of crisis when resuming operations, someone should be analyzing these risk areas, anticipating likely scenarios, and developing risk responses that can be deployed in a proactive rather than reactive way. The organization’s CRO is perfectly suited for this responsibility.
Actions to Address Longer-Term Crises:
processes that are normally used for annual enterprise risk assessments, but focusing
specifically on the risks associated with the return to normal business
operations. As appropriate, differentiate between a partial return over an
interim period and the final re-establishment of full business operations.
- Engage senior
leaders to determine if the pandemic has fundamentally changed the organization’s
mission, vision and values, its enterprise-level strategic objectives, or its
risk appetite. Align risk identification and analyses to any updates to these
- Provide guidance
and standardized tools for risk officers to update the current enterprise risk
profile, along with new entrants for consideration that are specific to the
post-pandemic environment. Consider the full portfolio of risk types should be
considered, including strategic, financial, operational, and compliance. Particular consideration should be given to
workforce-related risks given the massive disruption to the workforce as a
result of the current crisis, as well as reputational risks that may otherwise
be missed without proactive assessment.
identification should include both top-down and bottom-up activities, with the
CRO taking the lead to get input from senior leaders, while risk officers
capture insights from across organizational business units. These efforts
should be pre-planned and targeted to minimize disruption to current crisis
- Aggregate the
input received, create/update risk statements, assess the risks for likelihood
and impact to assist prioritization, and prepare potential risk responses for
- As the nature of
the pandemic evolves, this exercise should be ongoing and dynamic, perhaps
including updates on a pre-defined cadence established by the CRO and senior
- Update the
enterprise risk profile based on the preceding activities and provide the
results to the organization’s senior risk governance board.
- Commit to working
alongside business owners to provide advice on the effective implementation of
risk responses as early as possible to reduce the likelihood of risk