Heightened measures to risk-proof businesses have yielded some positives as is apparent from the pandemic response. Image Credit: Gulf News Archive

As I sit at home in lockdown, I am reminded of the lyrics of “Beautiful Boy” containing this famous line: “Life is what happens when you are busy making other plans”.

COVID-19 has thrown the spanner into the works without exception for everyone - individuals, businesses and governments alike. It has struck us all swiftly and changed our daily routines, mindsets and, perhaps, our futures in dramatic fashion.

A question that comes to mind is “Could we have anticipated this and therefore better prepared to deal with this?”

We all have to acknowledge that the risk of a pandemic has been talked about many times and parts of the world experienced the impact of SARS, Ebola and Zika in the not too distant past. A pandemic has been on the list of the World Economic Forum’s lists of top risks for several years.

Despite this, it appears that most organizations and governments were caught completely unprepared and are struggling to deal with the various unplanned aspects. In short, they are thinking on the fly.

As a risk professional, I believe this is because the non-financial sectors have not had a track record of practising “Enterprise Risk Management”, which the financial sector - thanks to regulators and the Global Financial Crisis of 2008 - have internalized in their strategic planning. And are, perhaps, better off for this.

Been around awhile

Those of us who have worked in the BFSI (banking, financial services, insurance) industry and especially in risk management are all too familiar with ERM. This discipline has been around since the 1960’s and evolved rapidly into a complex science replete with sophisticated models and tools. And indeed, it is a favorite pastime of regulators. Credit for this must go to the regulators who rightfully have to “protect” financial institutions from “failing” as they hold public money. The crisis of 2008 also provided impetus for development of ERM.

Financial institutions are required to have a strong and functioning risk management structure that is independent, knowledgeable and accountable to regulations and demonstrate risk frameworks that mitigate all types of risks - those known and less known across the probability/impact spectrum and based on a variety of scenarios).

Less equipped

In contrast, other sectors such as retail, hospitality, healthcare, manufacturing, (and the list can go on) do not appear to show too much evidence of well-structured enterprise level top-down risk management functions and discipline. This is borne out by a 2017 Global ERM survey carried out by RIMS (Risk Management Society) with nearly 400 senior executives across 14 industries including financial services.

Nearly two-thirds of respondents were from large companies with revenues of $500 million and 80 per cent of respondents were from the US. About 92 per cent of respondents from the financial services sector said that ERM is either fully or at least partially integrated in their companies, implying that it is practiced in a structured fashion at the corporate and business unit level.

In contrast, only 50 per cent of respondents from non-financial sectors stated their organizations were practicing some sort of an ERM programme. It would be a fair assumption that if in large companies in developed markets in non-financial sectors this is the picture, in emerging markets and at smaller companies, ERM would be a bridge too far.

Deployed by all

ERM as a discipline offers many tools and concepts that enable any entity - ranging from a Fortune 500 company to an SME or a part of government - to proactively identify, assess, mitigate and monitor key risks in a structured fashion. These are not just limited to “event risks” like COVID-19 or a geopolitical catastrophe. It can be any major risk that prevents reaching strategic objectives at an organization.

Other major categories addressed by ERM can be strategic risks - business model disruption and disintermediation - or operational (risk of human, technology and process failures or fraud).

These can also be legal and regulatory risks or compliance-related arising from violations or misconduct. The business benefits of an ERM programme go far beyond managing unforeseen calamities, and make strategic planning more solid and resilient.

Senior management and boards in organizations that have not invested in ERM need to make amends by first getting a buy-in for initiating dialogues at their level and building awareness through specialists or external interventions.

It would be useful thereafter to embark on a structured process of risk identification, assessment, mitigation, monitoring and cascading ERM in the firm. All of this would have to be supported by proper governance and metrics to ensure progress is sustained and measured.

Most importantly, senior management has to be truly committed to create a risk aware culture in every part of the organization. Key domains like the vision, mission, strategic objectives and planning must reflect a risk philosophy.

ERM is a journey...

- Venkat Sarma is a banking and financial services risk management consultant.