Will Covid-19 lead to a reframing of Operational Resilience in the boardroom?: 20 Questions & Answers
Q.1: BCM has clearly not been successful as the majority of organisations have made huge human cuts - the execs protect the business - where is the human ethic in board room? therefore all employees should have visibility of the BC plan
Q.2: In conversations that I have had, some organizations are blaming Risk Managers for not planning for COVID-19. Are you hearing this and Is that a fair analysis? A rare but significant risk that everyone knows about, but no one wants to discuss. There was planning around this, and some companies did plan. How can we say that this is a Black Swan?
Q.3: How GRC can help to manage Operational Resilience?
Q.4: Do you see a challenge between the costs of managing climate change and pandemic management risk versus shareholder value?
Q.5: I was (a few years ago) at Company ABC in their Resilience Risk Management function to provide frameworks and 2LoD for all operational / non-financial risks. Management was always with the 1LoD function that owned the actual direct risk. We found the heatmaps themselves were not particularly useful, it was (i) the trends and (ii) the discussion that was more helpful And, the thing we used to say when meeting Executives was does the heatmap reflect what keeps you up at night. It meant we often did not talk about the heatmap at all!!! What have you seen in your experience?
Q.6: I appreciate that Risk Management often focuses on addressing recent problems that have occurred. But shouldn't we all focus on threats to resilience - which is incredibly broad and much harder, but will mean we are better prepared for a range of potential scenarios and the next global event?
Q.7: In my experience, risk is viewed transactionally, as we've heard tonight. Do you see any likelihood that we will see a move towards more progressive approaches without changes to Board level?
Q.8: Would you recommend that organisations setup new departments called "Operational Resilience Management" and create new job roles called "Operational Resilience Manager" to deal with operational resilience?
Q.9: Do you believe organisations will change their approach to deal with low frequency x high severity risks? These risks don't get high enough on the risk heatmaps and hence may get ignored. For such risks does assessing likelihood or frequency even matters?
Q.10: In my experience - CROs and their background plays a key role in how boards and senior executives perceive risk management. CROs need to be champions for risk management for board and senior executives. They need to ensure that risk management is perceived as a valuable business management tool to define and execute strategies successfully. If CROs cannot do this then risk management will always be perceived as compliance/regulatory function. Would you agree?
Q.11: Helping human make better decisions: I don't particularly like heatmaps for reporting relative risk significance, but what is a better format? Should it be different for SME's assessing risk, and boards for managing risk?
Q.12: Should the Board modify role descriptions, performance objectives, and/or organization structure?
Q.13: In the current crisis it seems that Boards are becoming management teams and therefore do we still need Boards?
Q.14: What if board members are unable to offer the necessary availability and time commitment as the crisis intensifies?
Q.15 Risk is part of an attitude. It’s like a kid discovering hot and cold. We spend most of the time focusing on measurement methods as if we can’t measure, we can’t control. As such, do we fail to assess risk as a response of a decision?
Q.16 Fully agree with James and it says a lot about the quality of many Boards. GRC needs to penetrate the Board and how come are they so ignorant?
Q.17 So, do you believe that the future of overall risk management will be a holistic one? Seeing that departments, teams, projects, supply chain and customers are so closely connected through (IT) systems - a shared view and management approach to IT/security, operational, health and safety risks... [no camera please ;)]
Q.18 What do you believe is the best way for resilience teams to actually demonstrate operational resilience? We have seen some companies cutting their BCM teams during the pandemic due to budgets but also because they provided low value to prepare and recover from the impact of covid-19.
Q.19 In my experience - CROs and their background plays a key role in how boards and senior executives perceive risk management. CROs need to be champions for risk management for board and senior executives. They need to ensure that risk management is perceived as a valuable business management tool to define and execute strategies successfully. If CROs cannot do this then risk management will always be perceived as compliance/regulatory function. Would you agree?
Q.20 Learning from the past is essential to avoid returning to the old normal. Shouldn’t the outcome of this crisis be to revisit our stalled political & economic model and introduce for instance the Doughnut economic model where more attention is given to the social & environmental component and giving purpose to governments & corporations to better balance the resources on earth?