The current pandemic crisis is clearly a life-size test for all organizations, whether public or private, whatever the sector and whatever the size. Within the current context, most organizations are becoming aware of the operational reality of their risk management strategies and their business continuity plans, for the worse of for the best, and provided they had more or less internalized and operationalized a risk management and a business continuity management approach.
In times of crisis, organizations’ weak points and strong points are more likely to become visible and potential or effective capacity for resilience, redundancy, pivot, or whatever you may call it, is also manifesting.
Times of crisis are also clearly revealing risk culture which is based on the beliefs, values, appetite and tolerance for risk. The risk culture that prevails in an organization very largely influences its ability to manage its risks. In times of crisis, risk culture is clearly determining the attitude towards risk at it is manifesting at its most heightened level in the form of disruption.
Within the context of the current pandemic crisis, I would like to share hereafter a few remarks:
1. As a matter of fact, it is quite frequent to see that many organizations had previously built risk management strategy and business continuity management strategy into two separate domains hence leading to a perfect siloization. This means that you have on the one hand a risk assessment toolkit that is identifying potential risks together with mitigation strategies and on the other hand a business continuity toolkit that is planning for resilience and contingency based on some other types of risk scenarios. But there is no correlation between the two. The issue lies here essentially around the fact that risk assessments are very often pretty much detailed and focusing on precise and circumvented scenarios whereas business continuity plans tend to focus more on macro-scenarios. There is too often a missing link between the two that is omitting the potential cascading effect of the materialization of a risk and the potential amplification of a risk with consequences on business continuity. On the other hand, business continuity macro-scenarios may clearly entail scenarios identified in risk assessments and hence leading also to potential cascading effect with risk triggers in action. With the current pandemic context, the most visible example lies within heightened cybersecurity risks emerging from massive remote-working of employees being stuck at home.
2. What is more, among many organizations who did have some form of business continuity plans, those plans have simply revealed being of no use at all during the current pandemic crisis. These plans may have been either too specific or too generic for being of concrete and operational use during this real life-test crisis. It goes without saying that some plans may simply have been too theoretical and lacking operational value, not to say that they had never been tested and improved afterwards.
3. The current pandemic crisis is also showing an interesting aspect: it is global, cross-sectoral, cross-functional, perfectly transverse and working across geographies. This requires a more holistic approach towards its mitigation. Simply put it means that an organization is not alone in facing the crisis. In other words, the entire business environment, value chain, ecosystem of the organization is also facing the crisis and at the same time. And this is all the more crucial in our global and interconnected world. At an operational level, it means that the measures and decisions taken by a business partner, a third-party provider, or at higher level by governments and other actors to mitigate the risks may clearly have an impact on the organization. I have a concrete example in mind: a client of mine has had to cope with one of his essential and critical provider’s decision to close its main business site and as a consequence my client had to find a plan B in order to fill the void as the closure of his provider’s business site would have a clear impact on its own business continuity. This means that an organization has to keep abreast of its business environment and ecosystem risk and crisis mitigation strategies because they may have a tangible impact on its own risk and crisis mitigation plans.
I believe it may certainly be too early to draw upon all the lessons to learn from the current pandemic crisis as it requires a cool-headed approach and a distanced view that is difficult to have for most organizations and people in these times. There is right now a sense of urgency and a need for survival that may clearly influence our perception and bring out lots of biases regarding what needs to be learned for the future. Time is always a good teacher.
However, I would say that there is clearly a need for “de-siloization” of risk management & business continuity as well as for cross-value chain & macro-context approach.
I welcome your thoughts and comments.