As the coronavirus spread beyond China, some organizations responded swiftly to news of even one or two cases among employees, suppliers or clients; others took a more wait-and-see approach. The disparity likely stems, at least in part, from different approaches to enterprise risk management (ERM) — and reaffirms the business case for methods, processes, response thresholds and actions to protect enterprise goals, earnings and capital.
For many companies, ERM has become a check-the-box activity during the decade-long period of economic growth, but the coronavirus pandemic clearly shows the need for attention and rigor.
“ Gartner research shows that an agile response occurred far more often when clear processes already existed”
“The biggest problems with a pared-down, formulaic approach to ERM often don’t emerge until it’s too late,” says Matt Shinkman, Practice Vice President, Gartner. “Complicated flowcharts and in-depth policy manuals intended to guide escalation decisions during a crisis are often difficult and time-consuming to follow; they aren’t a substitute for an effective ERM function.”
Gartner research shows that the most effective ERM programs require:
- An agile “impacts-based” approach to create crisis escalation procedures.
- A business leader responsible for monitoring for a specific type of risk who gives clear, simple guidance about when it is appropriate to escalate risk information to the crisis management team.
Coronavirus is exactly the type of fast-emerging risk with uncertain consequences that can be ignored until it's too late for traditional escalation procedures to be effective. When reports of lockdown came from China, most organizations in the West had weeks to act on this information but chose to wait and see.
“ Coronavirus may have drawn executive attention on ERM, but it’s crucial they understand that the business benefits extend far beyond”
In this scenario, the threshold for escalation is too high because it relies on a trigger where operations have already been badly affected. Better-prepared companies responded to news of minimal spread and rapidly drafted contingencies before the situation deteriorated much further.
Gartner research shows that an agile response occurred far more often when clear processes already existed to report and escalate absences or issues due to infectious diseases. In other words, a proactive ERM team had already set the threshold for escalation quite low to account for the potentially extensive consequences of the risk if no action occurred. Line management also felt empowered to raise the issue and this led to swift and effective mitigation.
Read more: Stress-Test Your Business Continuity Management
Aligned risk management
The key to delivering effective ERM is to ensure that business executives contribute to evaluating and defining the enterprise risk appetite. This also ensures that ERM can assign risk ownership at the highest level of organizational decision making.
This view clarifies and formalizes the enterprise position that certain risks, such as a pandemic, are threats to strategic objectives like business growth. Leaders can then agree in advance that however remote a risk might seem, its emergence will trigger decisive and quick action to mitigate the effects — driven by a predetermined team of owners and actions.
“ Initiatives with timely risk management are more than twice as likely to completely satisfy senior stakeholders”
Aligning ERM with strategy also positions an organization to take certain risks to seize opportunities that might otherwise be missed.
“Risk is like cholesterol, there are good and bad kinds,” says Shinkman. “The bad kind manifests in wrongdoing or poor decisions, but the good kind helps an organization to take bigger, riskier growth bets — which is the single biggest differentiator of profitable growth.”
More than simply avoiding downside risk such as coronavirus, an agile and effective ERM function empowers an organization to take the right risks to grow. A 2019 Gartner review of strategic initiatives in 388 organizations showed a significant opportunity cost where risks are not surfaced and mitigated in a timely fashion.
In fact, strategic initiatives were delayed 1.26 months on average in a year by untimely risk management. For a product launch at an average $5B market-cap company, this amounts to $99 million in opportunity cost.
Effective risk management is also closely correlated with several other important business outcomes. For example, initiatives with timely risk management are more than twice as likely to completely satisfy senior stakeholders or be completed ahead of schedule. Moreover, they are almost twice as likely to come in 5% or more under budget.
“Coronavirus may have drawn executive attention on ERM, but it’s crucial they understand that the business benefits extend far beyond avoiding a crisis,” says Shinkman.