The internet is rife with memes that speak to how nobody could have seen what was coming in 2020. From the futility of buying a 2020 calendar to the pretentiousness of answering the question of where you are going to be in five years, they are endlessly funny and help to ease us through these difficult times. If you work in risk management, however, you may think them as inaccurate as they are funny. Why inaccurate? Because risk managers learn from the past and prepare for the future. Here are a few things that I’ve learned (or re-learned) during the COVID-19 pandemic:
1. This was not unforeseeable
Who could have foreseen this? Anyone could have, but it really is on risk managers to articulate why that is and what could happen next. Indeed, although not quite clairvoyants, prophets, or soothsayers, risk managers are basically forecasters with the added benefit of mathematical tools such as Bayesian Belief Networks and Monte Carlo simulations. By now, everyone is aware of the parallels being drawn to the 1918 influenza pandemic, also called the Spanish Flu. Such prior events are very helpful in forecasting future events and being prepared for them. We can adjust our probability estimations based on advances in the past 100 years in nourishment, hygiene and viral transmission. For organizational risk, we can likewise make adjustments to help forecast similarly possible but rare events. Indeed, the BASEL-II loss event type classification has long had a category for employee health and safety. Risk assessments can and should account for unavailability of staff contributing to business interruption risk. Regardless of the cause (what operational risk professionals call “risk triggers”) the controls are similar, which leads me to point #2.
2. We need to build resilient organizations
This has obvious meanings in technology, but I’ll address that next. What I’m talking about here is the need for organizational resilience. We need to learn how to execute our jobs from wherever and whenever is necessary to achieve our organizational objectives. Strike that. It’s not that we need to learn how to do it, we need to inculcate it into the fiber of our organizational culture. As the memes of our day have succinctly put it, we all learned that the job we were told couldn’t be done from home was actually able to be done from home just fine. So yes, this means working from home, but it also means so much more. We’ve operated in a world for so long where work primarily meant where you were and secondarily meant what you were doing. Shifting to a world where remote work is ubiquitous means shifting how you think about managing a workforce. It means developing (or sharpening) soft skills around understanding what a team is doing and managing to outcomes. This can be hard but has many added benefits, including a wider geography from which to recruit staff.
3. Digital transformation is resiliency
I recently called a health insurer here in the US to see if I can switch from paper delivery of explanation of benefits (EOBs) to digital delivery. They said that wasn’t possible. In another example, many companies still require wet-ink signatures to be affixed to documents that are then scanned and faxed to them. It’s 2020. If your organization still requires paper and faxes, you need to re-evaluate how you do business. It’s very plain now that organizations that are relying upon physical artifacts to conduct their businesses have suffered greatly over the past few months. The meme that asks who was the primary driver of an organization's digital transformation plan (hint: the answer is COVID-19) makes plain that this change was long overdue.
This includes concepts and practices like customer portals, digital delivery, digital twins, and app- and text-based customer interactions just to name a few. Organizations that already had the ability to flex their digital presence were much more agile in executing on their business objectives in a COVID world. Those that didn’t found themselves scrambling to serve customers and re-allocating budgets to make digital transformation happen faster.
The takeaway here for organizations going forward is that we need to design for digital and remote first, and not just web, but mobile also. In fact, as more and more people use smartphones as their primary computing device, for many customers, their first exposure to their company is your firm’s mobile app. Having an at-home workforce means shifting security from a bastion-host, secure device way of thinking to delivering tools for work over a browser to any device (I’ve always said that if customers can move large amounts of money in a web-based banking application, surely we can do work over the same medium).
Clearly, cybersecurity concerns abound in these three lessons. Business interruption risk management is as much about business as it is IT. Developing resilient organizations is about individual grit and soft skills, as well as cloud computing. Communicating possible outcomes and preparing for them is a key part of being ready for the next major business interruption, whatever the cause.