By: Steven Minsky
As CEO and founder of a risk management firm, Steven Minsky spends his time helping organizations manage pandemic, economic, supply chain and political risks. As the coronavirus continues its global march, its effect on business is no longer imminent; it is present. To help turn panic into productive and proactive action, in this opinion piece Minsky has put together a series of practical steps that all organizations should explore.
This is the first week that LogicManager, my Boston-based company, began its proactive two-week work-from-home trial. We wanted to put the health and safety of our 75 employees first and begin the learning curve of virtual business operations before we were forced to do so. Our goal was not to close the office but rather to reduce our employees’ public transportation exposure by minimizing commuting and proactively use social distancing techniques. Achieving social distancing is an example of one of five major risk considerations that organizations need to learn to manage. I will say more about that below.
We decided not to wait until we got more guidance from the CDC or our local, state or federal authorities and quarantine — as is happening in Italy, Spain, France and other countries — was suddenly implemented. In our preparation process, we used risk management to uncover many policies and processes throughout our various business departments. This trial period has given us a low-risk opportunity to test and iterate with the flexibility of going into the office if needed.
What would happen to your organization if illness led to a sudden reduction of more than 40% of your workforce? Is your organization in one of the many industries expected to experience a serious revenue downturn from this outbreak? Are our organizations as prepared as we might believe for the coronavirus pandemic, also known as COVID-19?
The effects of the pandemic – as the World Health Organization declared officially on March 11 — are predictable. The impact on our organizations, customers, vendors, and communities is knowable. Even so, as action remains elusive, there is a natural tendency for panic to arise. To help turn panic into productive and proactive steps to prepare, we have outlined five major risks and mitigation strategies that all organizations should explore.
Enterprise Risk Management for Coronavirus
Enterprise Risk Management is a technique and software infrastructure that makes those impacts clear to your organization, industry, and geography. It generates a plan of action and provides a mechanism for communication and implementation. A risk management framework engages everyone in your organization to support preparation and changes to reduce negative impacts from events. Reducing the coronavirus business effect is imperative. With this framework and enterprise risk management strategy, fear can be transformed into action and unease into peace of mind.
How will your organization generate revenue and execute operations with workplaces mostly either off-line or remote?
Five Business Risks
Here are some of the key risks that organizations face as the COVID-19 crisis deepens.
Risk 1: Disruption Due to Social Distancing
Social distancing is a term applied to certain actions that are taken by public health officials to stop or slow down the spread of a highly contagious disease. During the peak contagion months from December 2020 thru March 2021 policies of “social distancing” are likely to be necessary in the United States workplaces and schools. Most business events and travel will be curtailed or canceled during this peak period. How will your organization generate revenue and execute operations with workplaces mostly either off-line or remote? In 2019, only an estimated 14.1% of all retail sales worldwide were done through the Internet. With physical purchasing cycles potentially being disrupted, what will happen to that remaining 85.9% of business activity?
Risk 2: Plummeting Employee Productivity
Every industry will be impacted, as organizations are likely to see. Some 40% of staff during this period may be unable to work due to sickness, either directly or indirectly. Even if your employees are not sick, many will be affected by the need to care for ill family members. They may also need flexible working hours due to school and daycare closings.
Risk 3: Stressed Supply Chains
The global economy is still highly integrated and most countries and companies rely on vendors for their business. From pharmaceutical raw materials to electronics to most consumer-good products, there will likely be purchasing delays. Heavy equipment and manufacturing supply chains are already being impacted by COVID-19 spreading across Asia and Europe. Let us also not forget that a major trade war with many trading partners remains unresolved.
Risk 4: Recession, Unemployment and Investment Pull-back
Forecasts indicate that we will likely be in a full recession by the fourth quarter of this year. Will consumers reduce their spending? Conferences are getting canceled. Corporations are asking people to work from home. Schools are asking students to not to return after Spring Break. Watch the hospitality industry for signs of economic health. The economic engine of growth is driven by continuous investment as well as consumption. Experts are uncertain whether a COVID-19 vaccine will be available before the first quarter of 2021. Investments are highly negatively impacted by uncertainty and corporations will likely cut back growth investments, contributing to a rapid rise in unemployment. There may be significant layoffs at existing businesses in the “second wave” of COVID-19 that may surge again in the third quarter.
Risk 5: Economic Instability and Civil Unrest
The United States will go through a major election cycle in November. This election, more so than any other in recent history, represents two very different sets of policy options that will dramatically alter how businesses operate from taxation to foreign trade to talent management. This is not a political statement. Either scenario is manageable. It is the uncertainty over which scenario will prevail and how those policies will be carried out that will drive the risk.
The U.S. budget deficit is at a record high. Government spending will ramp-up, but that may not be effective due to lack of planning and preparedness. Great Britain has left the European Union and is likely to see dramatic changes go into effect in December 2020 which are likely to trade, immigration, and a large range of other areas of international business, at the same time a second wave of COVID-19 may be hitting.
So now what? Organizations need to put in place mitigation plans to address each of these risks. By taking these steps they will be in a better position to reduce the risks that the coronavirus will have on their business.
The mitigation activities that your business can prepare can be wide ranging depending on your industry, geography, size, and other factors. These initiatives may include activities such as shifting budgeting from fixed costs to variable spending to provide flexibility in times of uncertainty.
Below I highlight five risk management steps that organizations should think about as they defend themselves against the pandemic.
Step 1: Readiness Assessments
A readiness assessment is a good place to start when organizations don’t know what their business continuity program should comprise. Industry and role readiness templates as well as pandemic-specific templates allow an organization to evaluate their business continuity program against a best practice standard and identify where gaps may exist. These readiness libraries break down standards and best practices into actionable pieces so that organizations can track progress and adherence.
Step 2: Risk Management Plan
All organizations should complete a risk assessment on their core business processes to identify and prioritize any new risks or gaps in their existing controls for new scenarios like pandemics, recession, and geopolitical conditions risks. First-level managers on the front line when prompted with risks are in the best position to be able to assess how these scenarios will impact their areas of responsibility.
Step 3: Business Impact Analysis
Not all risks within processes or functions within an organization should be treated the same way. A business impact analysis allows organizations to identify which parts of the business are most critical to its operations. Use the results to determine which parts of the organization to prioritize during a business continuity plan event to maintain operations.
Step 4: Policy Management
As the pandemic evolves and new information arises, policies will need to be revisited and updated and communicated. For example, reviewing and revising a work-from-home policy will be effective only if dissemination of that revised policy is made with governance tracking for adoption across the organization.
Step 5: Incident Management
Incident management is typically a highly siloed activity embedded within a process. In times of change management, a unified enterprise-wide mechanism is needed as an input to evaluate the effectiveness of mitigation and policy activities as well as to manage the exceptions, which are typically 20% of all activities.
In LogicManager’s 15-year history, I have seen that 100% of business scandals were known at least six months in advance, with more than enough time to take action to eliminate most, if not all, of the downside.
Let’s walk through a specific example of how we used risk management transition to “Work from Home” to learn how all this comes together:
Step 1: Readiness: Having a library of best practices standards like Center for Disease Control (CDC) and The Federal Financial Institution Examination Council (FFIEC) to guide your pandemic planning readiness is essential to start the thinking process of transformation. You can select just 10-25 questions from these standards and push out to all managers enterprise wide or a subset of front line managers in sales, marketing, service, finance, HR and others in a risk management plan to learn their state of preparedness in risk management on any topic. To evaluate your overall readiness in risk management, take this assessment.
Step 2: Risk Management Plan: A number of risk events could trigger the need to work offsite (severe weather, pandemic, changes in infrastructure). These external risk factors should be assessed and prioritized.
From the FFIEC guidelines this is a readiness indicator we used that did double duty in our work from home readiness planning: “Testing communication and remote access capability (e.g., switching to alternate equipment or telecommuting)” is essential for businesses. We ask participants to list what could go wrong and what needs to happen. The idea of risk management planning is that one readiness assessment can serve many different kinds of scenarios so an organization will always be ready regardless of which scenario comes to pass.
Step 3: Business Impact Analysis: A Business Impact Analysis (BIA) should include the basic questions for each department head: (1) Are your employees equipped to work remotely with laptops and (2) Can critical job functions be completed when working remotely. This BIA will help to identify what might need to change to better respond to business interruptions. A predefined enterprise-wide standardized on a scale of 1-5 should be used for any and all BIAs and predefined that works for all issues across the entire company to “risk rate” the impact of the issue, the likelihood of this issue happening and the effectiveness of controls over that issue. The net score will help put all issues on a common denominator to allow an “apples to apples” comparison so you can quickly and objectively confirm with subject matter experts inside your organization what preparations are most important. For example, transitioning and transforming physical events and customer meetings into digital equivalents can achieve social distancing while still sustaining revenue generation.
Step 4: Policy Management: Due to the risk assessment and impact prioritization, it will likely trigger a need to review policies and procedures to ensure the expectations and steps for working remotely are clearly communicated. For example, a WFH policy was developed for very short term or ad hoc needs. For a Pandemic the WFH policy needs to be tied to a Key Performance Indicators (KPI) as a Pandemic WFH can turn into a six-week to six-month requirement and performance needs to be monitored to ensure goals are being achieved with leading indicators rather than lagging ones. For example, a review of the activities that lead to sales will let you know if any of your sales reps are struggling. These policy changes then need to be escalated to the right committee in your organization and then pushed back out to all employees and resigned for people operations compliance. Tying the context of how this requirement was surfaced and when the policy was changed while providing evidence of acknowledgement by employees will save your organization from unintended compliance liabilities.
Step 5: Incident Management: Enable pre-made incident reporting webforms for employees to report events that would lead to remote work policies being triggered, escalate issues they identify when working remotely, and ask questions back to management. It is important that now that “management by walking around the water cooler/coffee machine” is gone, there is enterprise-wide incident management that provides all employees a way to escalate issues and concerns that can then be turned into a FAQ published back out to all employees on a one-business-day or less turnaround. This gives employees confidence in their job safety and provides managers at the appropriate level a holistic view of what is happening in their teams, departments and organization. For example, this includes questions like needing equipment like a monitor, keyboard or a headset to effectively work from home, getting manager approval, and figuring out a way to make the equipment available. It is critical that these incident management issues can be work flowed from the individual that reports it to the chain of who needs to take action and that this tracking and follow-up is recorded and reported. These incident escalations cannot be siloed within one department’s system; it needs to be an enterprise-wide resource and response management platform that ties back to each of the other five steps: Policy Management, Business Impact Analysis, Risk Management Plan and Readiness. The Business Impact Analysis scores will then carry forward to provide a follow-up priority and an affirmation sign-off that things get done.
What Does the Future Look Like?
Economists are debating if there will be a sharp, short recession or a prolonged downturn. I think this is not the most helpful of options to spend our time considering. The approach we need is to recognize we all have more than enough time to use the risk management methods I have outlined above to identify the business impact of the risks to our organizations and mitigate 80% of the negative outcomes. Then, we can monitor incidents that slip by to quickly make changes to policies and disseminate these policies back through our organizations in quick, tight iterative cycles. This approach will cover both scenarios and turn fear into action.
Since it is on everyone’s mind though, here is a risk management view of the domino effects: The first wave of fear we now find ourselves in is decimating the hotel, travel, restaurant, casinos, amusement parks, live performances, movie theaters industries where people congregate. These jobs cannot telecommute and do not typically have healthcare or much paid sick leave. This vulnerable segment may be enough to trigger a banking crisis of home mortgage defaults and a sharp hit to retail shopping. This indicates a sharp recession is already on its way.
Most health care experts believe a vaccine is more than a year from being in the hands of those who need it, and containment is no longer an option. That means the coronavirus is likely to enter a “second wave” as autumn turns to winter and the highly infectious COVID-19 makes up to 70% of the population sick over a two-year period. Mortality and severity of sickness aside, consider the fact that 80% of the U.S. GDP comes from the services industries. These services will be hard to provide if most of the population doesn’t want to interact face-to-face with customers. This points to the possibility that the recession may extend into a prolonged and deep downturn.
Still, there is a silver lining to every dark cloud. On the macro level, the Federal Reserve has announced it will pump in $1.5 trillion to stem the stock market meltdown. It remains to be seen how well this measure will work to stabilize the market.
On an organization-by-organization level, there will be those that adopt a risk-based approach to transition and transform their organizations to thrive in the new normal. As Winston Churchill once reportedly said, “No crisis should go to waste.” That is what happened during the disruption to air travel after the World Trade Center attacks on September 11, 2001. Airports that used risk management strategies were able to transform their transportation mission to include entertainment centers for travelers who needed to be two hours earlier than their flights. They redesigned airport terminals to have a vast array of restaurants, shopping and entertainment options behind security that did not exist before. This led to the creation of new revenue streams. In the same way, after the financial crisis of 2008, banks that had used risk management to diversify operations with new fee-based services were able to thrive by replacing the revenues lost from interest income.
The most important lesson to learn from severe shocks like this pandemic is that they represent an opportunity to permanently shift the markets in which we operate. Actions that may have previously seemed too difficult to deal with may now be addressable. We have seen pollution nearly disappear over Wuhan; perhaps we also have an opportunity to affect climate change. With so many organizations transitioning to systems where their employees can work from home for extended periods, perhaps telecommuting will replace long-distance commutes. That might give us some hours back each day to live our lives. With the focus on good hygiene, we may abandon the medieval practice of shaking hands. With the deep costs of health care, we may put up the money to find a cure for COVID-19 as well as the seasonal flu.
If none of these lofty — and possibly unrealistic — wishes is achieved, perhaps a small bright side is we may find comfort in binge-watching our favorite shows and reconnecting with our families. Moving the care and well-being of our families back to the center of our lives may well be a more positive outcome than anything that merely mitigates business risks.