Risk oversight in the wake of the pandemic

October 2020

The COVID-19 pandemic and its economic impact are once again raising questions about the state of enterprise risk management (ERM) in large global companies and the options for improving it. Like previous crises, this one is forcing companies and their boards to consider whether they could have done more to anticipate and prepare, and whether their responses could have been more effective. Many of the questions that directors raise are specific to COVID-19, but others take up the issue of ERM more generally: In what ways could corporate risk management be better at identifying risks and assessing how they might play out? How can companies build more resiliency toward unknown risks, including the ability to rapidly restore business operations?

On September 18, 2020, members of the North American and European Audit Committee Leadership Networks (ACLN and EACLN, respectively) met virtually to discuss these questions. They were joined by Amy Brachio, global business consulting leader at EY, and Panu Haapaniemi, director of risk management at UPM, a forest industries company based in Finland.

Several themes emerged regarding how companies and boards can improve risk management.

  • Go deeper on risks and their interdependencies 
    Members and guests agreed that companies and boards should do more to identify risks and to understand how risks can amplify and interact with one other. They mentioned several approaches to uncovering more risks and understanding their dynamics: expanding scenario planning to include more variables; tapping the insights of more stakeholders, including younger employees and others deeper down in the organization; using sophisticated data analytics to reveal relationships between risks; and implementing online collaboration tools to improve communication about risk and risk mitigation across the organization.

  • Build resiliency for responding to unexpected risks 
    Even the best efforts to identify risks and predict their impact will sometimes fail to anticipate major events, so members and guests underscored the importance of resiliency. Diversify the supply chain and be ready to identify and address its vulnerabilities, they urged, and build more flexibility into operations so production can be shifted among business units and geographies as necessary. Also critical for an effective and sustained response to a major crisis is the health and well-being of the workforce; companies should create a corporate culture that supports open communication from employees about their needs. Improving resiliency will entail additional costs, creating tension at a time when pressures to cut costs are strong, but as an audit chair noted, the returns may be worth it many times over.

  • Enhance the role of the board 
    The board can play an important role in ensuring that risk management is comprehensive and integrated into the business and its strategy. Separate committees for risk and even for specific risks, such as cyber, can be helpful to achieve focus and depth. At the same time, the board’s collective experience can be invaluable in identifying emerging risks. Moreover, the board can fruitfully take the lead on integrating risk and strategy, ensuring that risk management becomes less a bureaucracy and more a tool for running the business.