Chief Risk Officers in a Crisis

Introduction

Risk management is proactive, peering around corners to identify uncertainties that may impact the ability of an organization to achieve its objectives. Crisis management is reactive, marshalling resources to respond to a risk that has already manifested and requires immediate attention. Both require senior leadership engagement to be effective, but the roles and methods can be very different. And that includes the Chief Risk Officer (CRO). If CROs are typically focused on addressing how current exposures might impact future results, what’s their role in the middle of a crisis, when a significant risk has already manifested? Many CROs have had to manage through crises, myself included, but the unprecedented nature of the current pandemic is stretching everyone into uncharted territories. The challenge (and opportunity) for CROs is to pursue actions that can add value to their enterprises, both in the immediacy of the moment and for the long-term. The following highlights two actionable considerations that cover two distinct time horizons.

Immediate Time Horizon

Most organizations have established an all-hands-on-deck approach for their senior leadership teams to deal with the coronavirus outbreak. This is expected and appropriate. All aspects of organizational activity have been impacted, and all leaders have a role to play in dealing with the countless discrete challenges that are arising. But what about Chief Risk Officers? What should their focus be in the midst of this crisis management scenario?

When leaders are reacting in the moment, there is often little time to assess the impact of decisions being made. Given that reality, these decisions might be creating risks in the process of attempting to deal with the immediate crisis. Organizations don’t have to wait for unintended consequences of well-intended decisions to manifest before addressing these kinds of collateral risks. CROs are skilled at anticipating these very kinds of outcomes. Having them intimately involved in these discussions provides a real-time forward-looking perspective on the known (or even the seemingly unknown) implications of these directives.

In some cases, the CRO’s risk insights might inform specifics of the decisions themselves, leading to adjustments that seek to accomplish the initial objective but in a manner that doesn’t negatively impact some other part of the organization. In other scenarios, management may continue down the original path, but identify additional or alternative risk responses to decrease a vulnerability that may otherwise be created. Moreover, management’s ability to articulate the thoughtful, risk-informed process it followed in formulating its crisis response actions could also pay significant dividends in the future. Identifying risks upfront provides a record that may clarify real-time decisions to oversight or regulatory bodies in subsequent audits or investigations.

CROs bring a different lens to the crisis management table, advising their leadership colleagues on the risk-based implications of the rapid decisions leaders are being compelled to make. CROs can help anticipate unintended consequences, proactively plan for them, and maintain a record for the future — all without distracting from the immediate demands on management for timely action in the midst of the crisis.

Actions for CROs for the Immediate Time Horizon:

Demonstrate to senior leaders how a proactive risk-management lens can be an invaluable component to crisis response.

Commit to assessing enterprise-level crisis response decisions for collateral consequences across all risk types, including reputational risk.

Provide feedback to crisis response teams on potential risks being created by their real-time decisions, as well as potential mitigations that might limit these exposures.

Proactively engage risk officers throughout the organization to monitor for emerging risks resulting from crisis response decisions. Provide a simple, standard mechanism to report emerging risks — as soon as they are identified — to the crisis response team.

Lead the effort to document risk-based decisions made by the crisis response team, including the decisions themselves, a straightforward risk-based rationale, and the nature of any identified risks that are being accepted as a result of these decisions. If feasible, place these decisions in the context of the organization’s risk appetite. A simple, standard form can be used, stored in a central repository, to enable easy access during future reviews by auditors, regulators, or inspectors general.

Longer-Term Time Horizon

The second perspective uniquely suited for CROs during a crisis such as the current pandemic is to anticipate the risks that their organizations may encounter when the crisis ebbs and it is time to ramp up normal operations. The vast majority of the leadership team is almost exclusively focused on dealing with the current organizational stresses from a vantage point that may not extend beyond a few days or weeks. But someone should be anticipating the challenges that may confront these enterprises when the “all clear” is given and the competitive pressures of the business world — or mission requirements in the public sector — are suddenly subjected to circumstances they never previously encountered.

Organizations will likely face risks across the full gamut from operations to compliance to financial to human capital and even to the very essence of the enterprise. Strategies may need adjustments based on new market realities. Internal operations and even organizational culture may require modifications, trying to maintain consistency with the mission, vision, and values of the organization. Each of these realities will introduce risks that were not evident just a few weeks ago.

The truth is that “normal” operations will likely not be normal in many respects right out of the gate. Organizations will encounter all manner of obstacles in their effort to return to normalcy. In order to avoid another kind of crisis when it is time to resume operational activities, someone should be analyzing these risk areas, anticipating likely scenarios, and developing risk responses that can be deployed in a proactive, rather than reactive, mode. This responsibility is perfectly suited for the organization’s Chief Risk Officer and can be performed with limited disruption to the pressing needs of the current crisis.

Actions for Longer-Term Time Horizon:

Activate processes that are normally utilized for annual enterprise risk assessments, but with the specific focus on the risks associated with the return to “normal” business operations.

As appropriate, differentiate between a partial return over an interim period, which may have different characteristics than the final reestablishment of full business operations.

Engage senior leaders to determine if anything has fundamentally changed with respect to the mission, vision, and values of the organization, its enterprise-level strategic objectives, or its risk appetite as a result of the pandemic. Risk identification and analyses should be aligned to any updates to these overarching concepts.

Provide guidance and standardized tools for risk officers to update risks in the current enterprise risk profile, along with new entrants for consideration that are specific to the post-pandemic environment. The full portfolio of risk types should be considered, including strategic, financial, operational, and compliance. Particular consideration should be given to workforce-related risks given the massive disruption to the workforce as a result of the current crisis, as well as reputational risks that may otherwise be missed without proactive assessment.

Risk identification should include both top-down and bottom-up activities, with the CRO taking the lead to obtain input from senior leaders, while risk officers capture insights from across organizational business units. These efforts should be pre-planned and targeted in order to minimize disruption to current crisis response activities.

Aggregate the input received, create/update risk statements, assess the risks for Likelihood and Impact to assist in prioritization, and prepare potential risk responses for leadership consideration.

As the nature of the pandemic will continue to evolve, this exercise should be ongoing and dynamic, perhaps including updates on a predefined cadence established by the CRO and senior leadership.

Update the enterprise risk profile based on the preceding activities and provide the results to the organization’s senior risk governance board.

Commit to working alongside business owners to provide advice on the effective implementation of risk responses as early as possible to reduce the likelihood of risk manifestation.

Summary

Most organizations are currently in crisis mode, reacting as best they can to the unprecedented health, economic, and operational challenges associated with the coronavirus pandemic. Chief Risk Officers have a unique set of skills and perspectives to provide insights and assistance to their leadership colleagues on how to minimize negative secondary effects from crisis-driven decisions. These insights can also proactively address the kinds of unanticipated challenges that may be farther down the road. These views might otherwise be missed in the midst of the crisis. CROs should seek to fill these gaps and do what they always do, seek to enhance their organization’s ability to achieve its strategic objectives, both during the immediate crisis and far beyond.