Will Covid-19 lead to a reframing of Operational Resilience in the boardroom?: 20 Questions & Answers

The first virtual GRC SC took place on the 14 May, 2020. The topic for Episode 1 of the Covid 19 Trilogy was - Will Covid-19 lead to a reframing of Operational Resilience in the boardroom?

Below are 20 attendee questions, which have been kindly answered by our esteemed panelists (Dr. Sandra Bell (SB), Michael Rasmussen (MR), James Green (JG). The detailed responses below build on the content within the individual talks which can be watched through - SCTV speeches.
​

Q.1: BCM has clearly not been successful as the majority of organisations have made huge human cuts - the execs protect the business - where is the human ethic in board room? therefore all employees should have visibility of the BC plan  

• (SB) There are three main issues wrapped up in this question. COVID-19 raised awareness of what BCM is, and isn't, and identified that many people's perceptions of what it should achieve and where it sits within an organisation are different. COVID-19 also demonstrated that the implementation of BCM is not consistent across the world resulting in widely diverse degrees of success. Business Continuity, as defined by international standards, is an operational construct in that it builds "capability within the organisation to continue the delivery of [a subset of] products and services at acceptable pre-defined levels following a disruptive incident" (ISO 22300:2012).  It is (or should) driven by the risk appetite of the board who define the products and services and the level that they want to continue them at together with the situations that they wish to plan for. These form the "planning assumptions" for the organisation.
• (SB) Minor operational disruptions that fall below this envelope are usually dealt with as "incidents" within Business as Usual and major operational disruptions that either fall above this envelope or have a significant strategic impact, are dealt with by the board using Crisis Management arrangements. The issue for many organisations with COVID-19 was that the majority of their pandemic planning assumptions were based on the 2009 H1N1 pandemic which was a mild to moderate disease and did not require the implementation of measures such as lockdowns, work closures and travel restrictions by governments to slow the spread and reduce deaths.
• (SB) In many cases this was “by design” e.g. the board understood that they only had operational continuity for mild to moderate pandemics and would need to respond strategically to anything larger – but in some cases they were taken by surprise. Which brings us to the issues of where BC sits in an organisation and how it is implemented. As stated above, BCM is an “operational” construct designed to reduce the chance of “operational disruptions” escalating to strategic risks. It therefore generally sits within operations but should be driven by the requirements of the board. It should also a facilitation function.
• (SB) It is well known that “no plan survives first contact with the enemy” and therefore it is the knowledge gained by the whole organisation in the act of planning that is important rather than the plans themselves. I would suggest that the organisations that believe that BCM failed has more to do with the implementation than the discipline itself.

​​

• (MR) From my perspective, BCM has not been successful in many organizations because it has been approached tactically and not strategically, it has not been an integrated part of enterprise and operational risk management and treated as a separate function, and it has been dominated by IT security and failed to achieve its broader purpose in business and operational resiliency

Q.2: In conversations that I have had, some organizations are blaming Risk Managers for not planning for COVID-19. Are you hearing this and Is that a fair analysis? A rare but significant risk that everyone knows about, but no one wants to discuss. There was planning around this, and some companies did plan. How can we say that this is a Black Swan? 

• (SB) Risk Managers identify and assess risks, they also manage the controls. But the board set the risk appetite that defines the scope of the controls. Therefore, either the Risk Manager failed to identify and communicate the risk, or the board decided to accept it. Pandemics are unpredictable but recurring events that require and all measures such as lockdowns, social distancing, travel restrictions, school and work closures are detailed in internationally agreed documents that are openly available from the World Health Organisation. Likewise, the need for governments to plan for the various economic stimuli that we have seen implemented is a legal requirement under International Health Regulations. In my opinion COVID-19 is a long way from being a black swan.

​

• (MR) This is not a Black Swan. It has been on the list of the top risks from the World Economic Forum, world leaders and business leaders have warned us about pandemics, and history has shown us they happen and have huge impacts. Risk management fails because it is myopic and siloed and too focused on IT security risks at the expense of other risks. IT security risk is a big area, but not the only area. We also have to see the interconnectedness of risks. This pandemic, a health and safety risk, has had a cascading impact of economic risk, fraud risk, modern slavery and human rights risks, HR risk, supply chain risk, IT security risk, and more.

​​

• (JG) It was not a black swan. Did the organizations have a plan? Was it actionable? Was the risk brought to management's attention and did management accept or mitigate the risk? That is the job of the Risk Manager.

Q.3: How GRC can help to manage Operational Resilience? 

• (SB) Operational Resilience is not really something that lends itself to being “managed”. You can manage the implementation of assets and risk controls that eliminate single points of failure and provide diversification of activities. You can also manage contingency planning activity such as Business Continuity. However, Operational Resilience requires people to think creatively under stress and adapt in a positive way to the situation. This requires “leadership”.

​​

• (MR) GRC, as officially defined in the GRC Capability Model, is a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance]. Operational resiliency requires an integration and collaboration across all of these areas so the organization can reliably achieve objectives while addressing risk and uncertainty and maintain the integrity of the organization. Operational resiliency requires an integrated approach to operational risk management and business continuity management. 

Q.4: Do you see a challenge between the costs of managing climate change and pandemic management risk versus shareholder value?
 

• (SB) Although the numbers are hard to pin down with any accuracy – all commentators seem to agree that our cities, the way we work and interact with each other, and where wealth is concentrated will all change irrevocably. Densely populated cities are more energy efficient. However, it is arguably dense populations that caused the pandemic to spread so fast and so far in the first place.
• (SB) Therefore, in my opinion, the future is likely to see a conflict between the demands of public health and climate. This conflict could easily make the temporary social distancing measures that we are adopting, such as remote working and home-based entertainment become permanent.

• (MR) We struggle with being short-sighted and this is a challenge as it is hard to get management support for these types of risk as they seem far off or too big. However, organizations need to be addressing this today to be sustainable and have a future. I wrote a blog in December of 2019 on this topic "Tale of Two Futures: is Our Future a Blade Runner Future or a Star Trek Future?" The choices organizations make today decide this future.  

• (JG) I do not. The cost of one risk mitigated will have a tremendous ROI.

Q.5: I was (a few years ago) at Company ABC in their Resilience Risk Management function to provide frameworks and 2LoD for all operational / non-financial risks. Management was always with the 1LoD function that owned the actual direct risk. We found the heatmaps themselves were not particularly useful, it was (i) the trends and (ii) the discussion that was more helpful And, the thing we used to say when meeting Executives was does the heatmap reflect what keeps you up at night. It meant we often did not talk about the heatmap at all!!! What have you seen in your experience?  

• (SB) Heatmaps are the same as plans – it is the collective knowledge and understanding gained through their creation that is valuable. The heatmap and plans are simply an audit trail that the activity has taken place and a convenient place to store information.

 

• (MR) Heat maps often misrepresent risk. They also fail to show the interconnectedness of risk in how one risk event can trigger a cascading impact of other risks. We need to think creatively as well as structurally about risk. This involves both right-brain and left-brain thinking on risk and risk management.

Q.6: I appreciate that Risk Management often focuses on addressing recent problems that have occurred. But shouldn't we all focus on threats to resilience - which is incredibly broad and much harder, but will mean we are better prepared for a range of potential scenarios and the next global event?  
 

• (SB) The Business Continuity lifecycle starts with two activities: a Business Impact Analysis and a Risk Assessment. The Business Impact Analysis is normally carried out first and “should” be a systematic analysis of individual activities within a business together with a determination of the business impact should they be disrupted, regardless of what disrupts them. The Risk Assessment then looks at the risks to the priority activities.
• (SB) However, a common mistake is to join the two activities together and simply ask each team or business unit to identify what is important to them, often using a spreadsheet or a specialised software package, bundle that information together and then create multiple localised plans and capability to meet their individual needs.
• (SB) However, if you do this you find that each team or business unit will have based their analysis on their individual Business as Usual (BAU) priorities and local risks rather than those that have the largest capacity to threaten the strategic objectives and financial stability of the organisation.

• (MR) I completely agree, and this requires that we use a range of risk analysis techniques such as bow-tie risk assessments, scenario analysis, stress testing, and table-top exercises.

Q.7: In my experience, risk is viewed transactionally, as we've heard tonight. Do you see any likelihood that we will see a move towards more progressive approaches without changes to Board level? 
 

• (SB) I think that as the business risk landscape continues to become ever more characterised by instability, complexity and risks with adversaries we will start to see the emergence of boards requiring more dynamic forms of risk management within their organisations.

Q.8: Would you recommend that organisations setup new departments called "Operational Resilience Management" and create new job roles called "Operational Resilience Manager" to deal with operational resilience?  

• (SB) Operational Resilience is not really something that lends itself to being “managed”. You can manage the implementation of assets and risk controls that eliminate single points of failure and provide diversification of activities. You can also manage contingency planning activity such as Business Continuity. However, Operational Resilience requires people to think creatively under stress and adapt in a positive way to the situation.
• (SB) This requires “leadership”.  I think that a management focus on the capability is a good thing, but it must not be allowed to divert attention away from the leadership element. There is no point "having all the gear, but no idea". 

• (MR) Not specifically, we need to evolve enterprise and operational risk management and fold BCM into these functions so it can deliver operational resilience. 

Q.9: Do you believe organisations will change their approach to deal with low frequency x high severity risks? These risks don't get high enough on the risk heatmaps and hence may get ignored. For such risks does assessing likelihood or frequency even matters? 

• (SB) Over the past few years there has been an increased board focus on crisis leadership and “organisational resilience” (as opposed to operational resilience). This is partly due to the change in the risk landscape to one that is characterised by instability, complexity and risks with adversaries which require real time response. However, it is also due to the need to respond effectively to high impact, low probability events.
• (SB) In our consumer-driven world with 24/7 new cycles and social media people are no longer happy to wait while an organisation executes a heroic recovery – they will just switch supplier.  There is no doubt that the changes that we have seen in the board will move down into operations and suppliers requiring greater agility and adaptation. 

 

• (MR) Do I believe organizations will change . . . yes, for a period of time there will be great focus on low frequency with high severity risks. When the risk does not happen too often over time it fades and falls off the radar. THIS SHOULD NOT HAPPEN, but it does. 

 

• (JG) Prior to COVID-19, I personally found the only organizations that really focused on low frequency/high severity risks were the ones that experienced them. (E.g. organisations in the southeast United States with hurricanes, Philippines and typhoons).  I expect more organizations to now be mindful of these types of events, but not most.

Q.10: In my experience - CROs and their background plays a key role in how boards and senior executives perceive risk management. CROs need to be champions for risk management for board and senior executives. They need to ensure that risk management is perceived as a valuable business management tool to define and execute strategies successfully. If CROs cannot do this then risk management will always be perceived as compliance/regulatory function. Would you agree? 

• (SB) YES.

 

• (MR) I agree. We need to strategically align risk with the objectives and strategy of the organization, and has it been an integrated part of decision making at all levels of the organisation.

 

• (JG) Ideally, the CXO should always be the champion of whatever that X function is. This is not often the case but is not limited to just risk. I see this quite often with CIOs and CHROs for example.

Q.11: Helping human make better decisions: I don't particularly like heatmaps for reporting relative risk significance, but what is a better format? Should it be different for SME's assessing risk, and boards for managing risk?  

• (SB) One way to use heatmaps effectively is to construct scenarios from them. A heatmap divides risks into discrete elements for more efficient planning and management of static controls such as security or checking processes. However, in the real world, many risks are realised at the same time and one risk may trigger another.
• (SB) Walking through different scenarios with an executive coach allows leaders within the organisation to hone their decision making under stress skills together with the ability to create a common picture of what is happening from a diverse set of sources necessary to guide the organisation through the crisis.

 

• (MR) Good risk management will use a variety of risk visualisation, quantification, and analysis techniques to look at risk from a variety of angles. 

Q.12: Should the Board modify role descriptions, performance objectives, and/or organization structure? 

• (SB) For some organizations, yes. But this is highly dependent on where these are at today. Some organizations have clearly integrated and defined role descriptions, performance objectives, and structure for risk and operational resiliency and others do not.   

 

• (MR) I have found that the fastest way to create a true culture of something is to tie that item to job descriptions, bonuses and performance reviews.

Q.13: In the current crisis it seems that Boards are becoming management teams and therefore do we still need Boards?

• (SB) In a crisis situation the job of the board is to manage the crisis is a way that: limits damage, increases the confidence of customers and stakeholders and minimises the recovery time and costs. In doing this they need to ensure efficient cooperation and coordination of operational teams by setting priorities and resolving any conflicts of interest. Their role is to decide “what” needs to be done whilst their operational teams decide “how” to achieve it.
• (SB) If the board are carrying out operational roles, then one of two things is wrong. Either the operational teams are not doing it and the board are having cover for them as well as doing their job or the board are using what is often termed a “long-handled screwdriver” because operations is in their comfort zone and they have not been coached in the crisis leadership role.

 

• (MR) Boards govern the organization and need to remain with that function. However, in a time of crisis, they can step in and be more involved and direct, but outside of a crisis, they should be stepping back to govern.  

Q.14: What if board members are unable to offer the necessary availability and time commitment as the crisis intensifies?

• (SB) When thinking about responding to a crisis, an organisation needs to take into account the staffing of the various response teams. Most organisations are lean, but they need to make sure that where specialist human resource is scarce that they have people who are trained and can step up when required. Likewise, many crises, are long term which means that you need several changes of staff to prevent fatigue. 

 

• (MR) It is time for them to either step up or step aside. It is their job to govern and direct the organization and in a time of crisis this is critical.  

Q.15 Risk is part of an attitude. It’s like a kid discovering hot and cold. We spend most of the time focusing on measurement methods as if we can’t measure, we can’t control. As such, do we fail to assess risk as a response of a decision?

• (SB) Yes - see answer to the heatmap question. Our risk registers and heat maps are often the equivalent of the parts list of a car together with the likelihood and impact of the individual components breaking. What we need to understand it the impact that this will have on our journey.

 

• (MR) Good risk management is an integrated part of decision making to make good decisions to enable the organization to reliably achieve objectives while addressing risk and uncertainty.  

Q.16 Fully agree with James and it says a lot about the quality of many Boards. GRC needs to penetrate the Board and how come are they so ignorant?  

• (SB) When risk management becomes institutionalised it tends to become defensive. Therefore, instead of seeking the upside of the uncertain situation people tend to “cover their backs” and implement measures to reduce the impact and likelihood of the potential negative consequences.
• (SB) By using heat maps as the only way to communicate operational risks to the board they only get to see the treated risk rather than the raw risks. This gives them an unrealistic picture of their risk exposure as no risk control is 100% effective.

 

• (MR) Poor communication, lack of awareness, and too much history of operating in silos suffering with myopia.

​

• (JG) Lack of time devoted to risk at Board meetings, and Board Members not understanding the Board packet prior to a meeting.

Q.17 So, do you believe that the future of overall risk management will be a holistic one? Seeing that departments, teams, projects, supply chain and customers are so closely connected through (IT) systems - a shared view and management approach to IT/security, operational, health and safety risks... [no camera please ;)] 

• (SB) I certainly hope that we will see a move to understand how risks and controls interact in a complex holistic manner.

 

• (MR) It is a holistic and integrated approach to true enterprise risk management that brings a 360° contextual awareness or situational awareness to risk and can identify and see the interconnectedness of risk and the cascading impact of one risk on another. 

Q.18 What do you believe is the best way for resilience teams to actually demonstrate operational resilience? We have seen some companies cutting their BCM teams during the pandemic due to budgets but also because they provided low value to prepare and recover from the impact of covid-19.  

• (SB) BCM is but a small element of operational resilience. Playing devil’s advocate, it is quite possible that some companies have cut their BCM teams because they falsely promised that what they did delivered operational resilience.

 

• (MR) I think this is a short-term reaction as organisations have to shift resources to the here and now to get through the pandemic. Coming out of the pandemic, we should see a lot of growth and maturity of BCM functions as they integrate with enterprise and operational risk management functions to deliver operational resiliency.

 

• (JG) Teams don't often quantify how the work they do. How did you prevent revenue/income from dropping, how did you decrease insurance premiums, how did you minimize disruption to the business? You have to document and quantify if possible that last mile.

Q.19 In my experience - CROs and their background plays a key role in how boards and senior executives perceive risk management. CROs need to be champions for risk management for board and senior executives. They need to ensure that risk management is perceived as a valuable business management tool to define and execute strategies successfully. If CROs cannot do this then risk management will always be perceived as compliance/regulatory function. Would you agree? 
 

• (SB) YES.

• (MR) I agree. We need to strategically align risk with the objectives and strategy of the organization, and has it been an integrated part of decision making at all levels of the organisation.

• (JG) Ideally, the CXO should always be the champion of whatever that X function is. This is not often the case but is not limited to just risk. I see this quite often with CIOs and CHROs for example.

Q.20 Learning from the past is essential to avoid returning to the old normal. Shouldn’t the outcome of this crisis be to revisit our stalled political & economic model and introduce for instance the Doughnut economic model where more attention is given to the social & environmental component and giving purpose to governments & corporations to better balance the resources on earth?  

• (MR) Yes, organizations need to be making better decisions today to protect both the short-term and long-term future of the organization as well as the world and its resources. Check out my blog on a Tale of Two Futures.