A state of COVID-19 unreadiness pervades the enterprise.
Just 12% of more than 1,500 respondents believe their businesses are highly prepared for the impact of coronavirus, while 26% believe that the virus will have little or no impact on their business, according to a recent survey by Gartner.
“This lack of confidence shows that many organizations approach risk management in an outdated and ineffective manner,” said Matt Shinkman, vice president in the Gartner Risk and Audit practice.
Fifty-six percent rate themselves somewhat prepared, and 11% said they were either relatively or very unprepared.
By the numbers
Just 2% of respondents believe their business can continue as normal, highlighting the huge range of businesses that could be affected by the outbreak.
Twenty-four percent of respondents expect little disruption, while the majority expect business to continue at a reduced pace (57%), to be severely restricted (16%) or to be discontinued altogether (1%).
The challenge lies partly in the ambiguity inherent to managing an emerging risk such as coronavirus. Organizations often have policies in place to deal with most risks, but they don’t activate them until it’s too late because no one is owning the risk or taking it seriously until it is fully manifested. The threshold for a risk to generate executive action is often too high to enable an effective response.
Shinkman noted that board members tend to deal with emerging risks by just assuming they will go away and instead focus their attention on what is most important today
“In good times this methodology is reinforced because sometimes emerging risks really do just go away. It’s when they don’t that problems inevitably emerge,” he added.
Having an enterprise risk management (ERM) function in place means that an organization is more likely to see risks coming and then mitigate the impact of those emerging risks more swiftly and effectively. Gartner’s view is that a focus on impacts rather than specific scenarios is best practice for ERM.
“It’s nearly impossible to predict exactly if or how a particular scenario will unfold or even when. That’s what creates the ambiguity and often inaction around emerging risks. It’s much more effective to focus on potential impacts and how to mitigate them,” Shinkman suggested.
Pandemic provides a perfect example of how this approach works – companies that wait until the emerging risk is already impacting operations and/or many employees will likely find themselves playing catch up and losing ground to companies that were better prepared.
Companies can get better prepared by considering what interim events could occur that would suggest that a pandemic, or similar emerging risk, is about to sharply increase in terms of its impact or likelihood.
By using an ERM approach to identify and prepare for those specific events – and setting up mechanisms to monitor for them – the best companies are better positioned to avoid major disruption.
Checklist of questions
For those dealing with a crisis response to the coronavirus in their organization, they should have planned responses to specific impacts. For example:
- What will the company do if one employee gets sick?
- Ask all employees to self-isolate?
- Are work-from-home procedures sufficiently mature to support that or will work have to stop?
- Do suppliers or clients need to be notified?
- Is finance able to support operations in the event of anticipated losses?
Using an impacts-based method makes it very clear when to trigger a response plan and to start mitigating the effect of specific impacts on an organization.
Also having response plans that react to specific impacts means it is simpler to communicate the plan to staff, so that all employees can play a part in managing risk.
In fast-moving situations such as this, the more people who are owning risk, the more likely it is that an organizational response will be timely.
Gartner cautioned against over analysing the situation with elaborate ‘what if?’ scenarios. Rather focus on what is known.
“Many organizations likely already have plans in place to deal with the types of disruption they are facing because of the coronavirus. The job of risk management is to ensure the right plans exists and make sure they get used at the appropriate moment,” concluded Shinkman.