It appears unlikely that a resumption to business as normal will not materialise for most UK organisations, firstly as time will be required to prioritise operational matters in order to deliver a phased return to customer service, as well as catch up on matters that have been put on hold during the lockdown.
Nevertheless, there will come a time when review of the impact of the pandemic on every organisation will be required in order to consider whether risk management and business continuity arrangements were robust and what lessons can be learnt from the experience.
Critically, a review of the organisations risk matrix will need to be undertaken in a transparent manner; this will require a systematic risk review that considers whether key inherent risks were identified and whether the relative risk assessments were an accurate reflection of recent experience. This should identify whether a balanced approach had been taken to establishing a risk management policy; was sufficient attention given to operational risk issues as opposed to regarding everything as a financial matter.
Key issues for every organisation will be to consider matters such as:
- Did the existing technology infra-structure support the new needs of the organisation, particularly home-working?
- Was the supply chain robust or was the organisation too reliant on a small number of key suppliers?
- What was the impact on our staff, regarding changes to working arrangements, furloughing or indeed possible the need in the short-term to recruit extra staff?
Now is clearly the time to consider implementing a dynamic risk assessment which considers whether the risk management fragment captures all that matters, not just that regarding COVID 19 or the next pandemic but of all the inherent risks that the organisation faces. Where a risk exist remedies need to be sought that will ensure appropriate modifications are made to existing processes to better protect the organisation should similar business interruption occur for whatever reason.
It may be that a programme of facilitation throughout the organisation can be constructed to support embedding the risk management policy throughout the organisation, this would help meet local need to understand the risk appetite of the Board and achieve best outcomes. The exercise would be designed to draw on experiences at all levels within the organisation, documenting concerns and suggested improvements with a view to presenting a risk management plan that acted as a catalyst for enhancing risk management and business continuity planning arrangements for the future.
Of course, risk management software will also help in this respect. The adoption of a standard approach to risk assessment provides a standard risk template that all managers can use to identify and assess the potentially adverse effects that an event may have on their part of the organisation. It will enable an enterprise risk management approach that considers not only whether there may be a financial impact, but also consider whether the event will have associated issues relating to customers, people, the environment or reputation; such a systematic risk-based approach will lead to more informed identification of residual risk and consequently reporting; which if using appropriate risk management software can be achieved in real-time.
This is the significant advantage of implementing Risk Management software as it allows mitigating actions to be reviewed routinely through digital prompts and as assessments are revised to ensure that the organisation remains in control. This contrasts dramatically with the outdated practice of attempting to demonstrate effective risk management through the use of spreadsheets, which require central co-ordination and repetitive chasing of managers for update in time for the next meeting. Risk Management software therefore enforces a discipline which assists in the demonstration of good governance to all key stakeholders.